Certificate renewal error: EOF occurred in violation of protocol

@griffin:

Installing certifi didn't help.

1 Like

If it terminates all inbound TLS connections, do you really still need a cert on this system?

1 Like

I see what you mean. This is me trying to POC snapd on my new servers to eventually use it on a prod server that will require the certificate. I am trying --dry-run for now.

1 Like

No matter what, I think I should be able to add certificates to the trust store and then snapd would trust the remote server. But this is not happening in my testing.

1 Like

I think the proxy may be playing into the problem.
But more so, I think the O/S and/or version of something like OpenSSL may also be to blame.
Can you use any other O/S?
[at least for testing]

1 Like

My production system is currently on RHEL7, but using the old way (no snapd).
I'll try to test on a different OS and read more on the snapd documentation. Maybe I am missing a command to run to make snapd pick up my trust store. Some documentation says this is the order it searches the OS:

var certFiles = []string{
 "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
 "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
 "/etc/ssl/ca-bundle.pem", // OpenSUSE
 "/etc/pki/tls/cacert.pem", // OpenELEC
 "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
 "/etc/ssl/cert.pem", // Alpine Linux
}

var certDirectories = []string{
 "/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139
 "/system/etc/security/cacerts", // Android
 "/usr/local/share/certs", // FreeBSD
 "/etc/pki/tls/certs", // Fedora/RHEL
 "/etc/openssl/certs", // NetBSD
 "/var/ssl/certs", // AIX
}

Reference: Bug #1620755 “x509: certificate signed by unknown authority” : Bugs : Snappy

1 Like

Also for testing, I would try with another ACME client.

1 Like