Handshake_failure via shopify-api-node

Hello there,

I'm using shopify-api-node to query data from shopify stores. However, I'm encountering an issue with handshake_failure with stores using CA issued by Let's Encrypted.
The example of an error is:

Error: write EPROTO 139674599427400:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 40\n: undefined - undefined\n at ShopifyClient.<anonymous> (/var/server/app/packages/sip-common/dist/client/shopify/parse-error.decorator.js:81:27)\n at Generator.throw (<anonymous>)\n at rejected (/var/server/app/packages/sip-common/dist/client/shopify/parse-error.decorator.js:25:65)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:97:5)","tenantId":"[mtsvetanov.myshopify.com](http://mtsvetanov.myshopify.com/)"

Some of the target domains are:

My application is running on docker container and hosted in cloud. Do you have any thoughts for this problem?
If you need any additional information, please let me know.

Bill Pham

Are you the administrator of these sites, or just trying to connect to them?

They are set up in a way that most sites aren't, in that they use an ECDSA cert signed by E1, and send the "really long" chain of E1 signed by ISRG Root X2, signed by ISRG Root X1, signed by DST Root CA X3. But that really shouldn't be causing any problems with most configurations.

Can you give more details on how you're trying to connect? Since my guess is that whatever system you're using to connect isn't supporting ECDSA, or possibly is using a really old SSL library that doesn't like the expired DST Root CA X3 (which most systems nowadays successfully ignore).


Thank you @petercooperjr ,
I'm using Shopify-api-node to establish the connection. The problem seems to happen randomly. I mean sometimes it works sometimes it doesn't.
And also my application is running on cloud platform, I'm using TLS v1.2. Do you have any thoughts?

1 Like

It looks to me like these are behind cloudflare and so it could choose from a a variety of certificate chains for each domain, perhaps there is a combination you don't have support for .e.g your CA root certificate store is not current or your client only supports a limited set of TLS ciphers.


rec_layer_s3.c:1544:SSL alert number 40

“SSL alert” means the error came from the server.

Number 40 is a bit vague. It means the server couldn’t handle the handshake the client sent it.

Potential reasons:

No ciphers in common (are you running an old OpenSSL? I’m not sure how Node works here)

No SNI sent, or sent to a server that doesn’t handle it. Seems unlikely since it’s shopify on cloudflare who presumably have this set up right.

This isn’t likely to be a problem related to Let’s Encrypt at all.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.