I'm using shopify-api-node to query data from shopify stores. However, I'm encountering an issue with handshake_failure with stores using CA issued by Let's Encrypted.
The example of an error is:
Error: write EPROTO 139674599427400:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 40\n: undefined - undefined\n at ShopifyClient.<anonymous> (/var/server/app/packages/sip-common/dist/client/shopify/parse-error.decorator.js:81:27)\n at Generator.throw (<anonymous>)\n at rejected (/var/server/app/packages/sip-common/dist/client/shopify/parse-error.decorator.js:25:65)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:97:5)","tenantId":"[mtsvetanov.myshopify.com](http://mtsvetanov.myshopify.com/)"
My application is running on docker container and hosted in cloud. Do you have any thoughts for this problem?
If you need any additional information, please let me know.
Are you the administrator of these sites, or just trying to connect to them?
They are set up in a way that most sites aren't, in that they use an ECDSA cert signed by E1, and send the "really long" chain of E1 signed by ISRG Root X2, signed by ISRG Root X1, signed by DST Root CA X3. But that really shouldn't be causing any problems with most configurations.
Can you give more details on how you're trying to connect? Since my guess is that whatever system you're using to connect isn't supporting ECDSA, or possibly is using a really old SSL library that doesn't like the expired DST Root CA X3 (which most systems nowadays successfully ignore).
Thank you @petercooperjr ,
I'm using Shopify-api-node to establish the connection. The problem seems to happen randomly. I mean sometimes it works sometimes it doesn't.
And also my application is running on cloud platform, I'm using TLS v1.2. Do you have any thoughts?
It looks to me like these are behind cloudflare and so it could choose from a a variety of certificate chains for each domain, perhaps there is a combination you don't have support for .e.g your CA root certificate store is not current or your client only supports a limited set of TLS ciphers.