My domain is: salty3.pipeos.one
I am running GitHub - saltyrtc/saltyrtc-server-python: SaltyRTC signalling server implementation., which takes in the ssl certificate & key:
saltyrtc-server -v7 serve -p 8765 -tc /etc/letsencrypt/live/salty3.pipeos.one/fullchain.pem -tk /etc/letsencrypt/live/salty3.pipeos.one/privkey.pem -k /root/salty/permanent_key
Then I have an Nginx config that proxies the Websocket requests from port 443 to 8765. See below.
Running the saltyrtc-server in dev mode, without the certificate, works just fine. But, when I run it as above, and my client tries to connect through WebSocket, the SSL handshake fails with ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123) . I've traced this back to openssl/ssl3_record.c at OpenSSL_1_1_1-stable · openssl/openssl · GitHub
if ((version >> 8) != SSL3_VERSION_MAJOR) {
if (RECORD_LAYER_is_first_record(&s->rlayer)) {
/* Go back to start of packet, look at the five bytes
* that we have. */
p = RECORD_LAYER_get_packet(&s->rlayer);
if (strncmp((char *)p, "GET ", 4) == 0 ||
strncmp((char *)p, "POST ", 5) == 0 ||
strncmp((char *)p, "HEAD ", 5) == 0 ||
strncmp((char *)p, "PUT ", 4) == 0) {
SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
SSL_R_HTTP_REQUEST);
return -1;
} else if (strncmp((char *)p, "CONNE", 5) == 0) {
.............
Any suggestions as to what might be the problem?
# /etc/nginx/sites-available/salty3.pipeos.one
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
upstream websocket {
server 127.0.0.1:8765;
}
server {
server_name salty3.pipeos.one;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/salty3.pipeos.one/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/salty3.pipeos.one/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
Full error: (with some dirty prints that I inserted)
(env39) root@salty2:~/salty# saltyrtc-server -v7 -c serve -p 8765 -tc /etc/letsencrypt/live/salty3.pipeos.one/fullchain.pem -tk /etc/letsencrypt/live/salty3.pipeos.one/privkey.pem -k /root/salty/permanent_key -dhp /etc/letsencrypt/ssl-dhparams.pem
****AAAAA tls_cert /etc/letsencrypt/live/salty3.pipeos.one/fullchain.pem
****AAAAA tls_key /etc/letsencrypt/live/salty3.pipeos.one/privkey.pem
****AAAAA ssl_context <ssl.SSLContext object at 0x7fd3b2747a40>
[2021-02-06 02:31:49.748517] DEBUG: asyncio: Using selector: EpollSelector
Starting
Primary public permanent key: 8fba4aeb0fcf54499c7ef477c42c0292f566e0f5f7ff422f9aa94bb0dd0b031a
****AAAAA before server.serve
****AAAAA post server.serve
[2021-02-06 02:31:49.756832] DEBUG: asyncio: Get address info None:8765, type=<SocketKind.SOCK_STREAM: 1>, flags=<AddressInfo.AI_PASSIVE: 1>
[2021-02-06 02:31:49.758085] DEBUG: asyncio: Getting address info None:8765, type=<SocketKind.SOCK_STREAM: 1>, flags=<AddressInfo.AI_PASSIVE: 1> took 0.230ms: [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('0.0.0.0', 8765)), (<AddressFamily.AF_INET6: 10>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('::', 8765, 0, 0))]
[2021-02-06 02:31:49.759790] INFO: asyncio: <Server sockets=(<asyncio.TransportSocket fd=6, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::', 8765, 0, 0)>, <asyncio.TransportSocket fd=7, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('0.0.0.0', 8765)>)> is serving
[2021-02-06 02:31:49.760216] DEBUG: saltyrtc.server: Server instance: <websockets.server.WebSocketServer object at 0x7fd3b2708c40>
Started
[2021-02-06 02:31:56.639680] DEBUG: asyncio: <Server sockets=(<asyncio.TransportSocket fd=6, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::', 8765, 0, 0)>, <asyncio.TransportSocket fd=7, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('0.0.0.0', 8765)>)> got a new connection from ('127.0.0.1', 51540): <socket.socket fd=8, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 8765), raddr=('127.0.0.1', 51540)>
[2021-02-06 02:31:56.642475] DEBUG: websockets.protocol: server - state = CONNECTING
[2021-02-06 02:31:56.645267] DEBUG: asyncio: ******AAAA _context <ssl.SSLContext object at 0x7fd3b2747a40>
[2021-02-06 02:31:56.645895] DEBUG: asyncio: <asyncio.sslproto.SSLProtocol object at 0x7fd3b266ec40> starts SSL handshake
[2021-02-06 02:31:56.646661] DEBUG: asyncio: *****AAAAA do_handshake pipe 'UNWRAPPED'
[2021-02-06 02:31:56.647318] DEBUG: asyncio: *****AAAAA do_handshake post wrapbio
[2021-02-06 02:31:56.647763] DEBUG: asyncio: ****AAAAA feedssldata b''
[2021-02-06 02:31:56.648133] DEBUG: asyncio: ****AAAAA feedssldata try 'DO_HANDSHAKE'
[2021-02-06 02:31:56.648634] DEBUG: asyncio: ****AAAAA feedssldata exeption SSLWantReadError(2, 'The operation did not complete (read) (_ssl.c:1123)')
[2021-02-06 02:31:56.649072] DEBUG: asyncio: *****AAAAA do_handshake appdata []
[2021-02-06 02:31:56.649422] DEBUG: asyncio: *****AAAAA do_handshake ssldata []
[2021-02-06 02:31:56.650190] DEBUG: asyncio: ****AAAAA before feed_ssldata <asyncio.sslproto.SSLProtocol object at 0x7fd3b266ec40>
[2021-02-06 02:31:56.650588] DEBUG: asyncio: ****AAAAA feedssldata b'GET /ajax-loader.gif HTTP/1.1\r\nHOST: salty3.pipeos.one\r\nConnection: close\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4406.0 Safari/537.36\r\nAccept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: image\r\nReferer: https://salty3.pipeos.one/app1\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: __cfduid=d72bd537098796c58ce0959384352ff281612518707\r\n\r\n'
[2021-02-06 02:31:56.651029] DEBUG: asyncio: ****AAAAA feedssldata try 'DO_HANDSHAKE'
[2021-02-06 02:31:56.651474] DEBUG: asyncio: ****AAAAA feedssldata exeption SSLError(1, '[SSL: HTTP_REQUEST] http request (_ssl.c:1123)')
[2021-02-06 02:31:56.652913] DEBUG: asyncio: <asyncio.sslproto.SSLProtocol object at 0x7fd3b266ec40>: SSL handshake failed
Traceback (most recent call last):
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 641, in _on_handshake_complete
raise handshake_exc
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 195, in feed_ssldata
self._sslobj.do_handshake()
File "/root/.pyenv/versions/3.9.1/lib/python3.9/ssl.py", line 944, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123)
[2021-02-06 02:31:56.655172] DEBUG: asyncio: <asyncio.sslproto.SSLProtocol object at 0x7fd3b266ec40>: SSL error in data received
Traceback (most recent call last):
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 538, in data_received
ssldata, appdata = self._sslpipe.feed_ssldata(data)
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 195, in feed_ssldata
self._sslobj.do_handshake()
File "/root/.pyenv/versions/3.9.1/lib/python3.9/ssl.py", line 944, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123)
[2021-02-06 02:31:56.657243] ERROR: asyncio: Error on transport creation for incoming connection
handle_traceback: Handle created at (most recent call last):
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/base_events.py", line 629, in run_until_complete
self.run_forever()
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/base_events.py", line 596, in run_forever
self._run_once()
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/base_events.py", line 1882, in _run_once
handle._run()
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/events.py", line 80, in _run
self._context.run(self._callback, *self._args)
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/selector_events.py", line 978, in _call_connection_lost
super()._call_connection_lost(exc)
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/selector_events.py", line 736, in _call_connection_lost
self._protocol.connection_lost(exc)
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 511, in connection_lost
self._wakeup_waiter(exc)
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 475, in _wakeup_waiter
self._waiter.set_exception(exc)
protocol: <websockets.server.WebSocketServerProtocol object at 0x7fd3b2708100>
transport: <asyncio.sslproto._SSLProtocolTransport object at 0x7fd3b1dc3c40>
Traceback (most recent call last):
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/selector_events.py", line 218, in _accept_connection2
await waiter
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 538, in data_received
ssldata, appdata = self._sslpipe.feed_ssldata(data)
File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 195, in feed_ssldata
self._sslobj.do_handshake()
File "/root/.pyenv/versions/3.9.1/lib/python3.9/ssl.py", line 944, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123)
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0