5

I'm trying to set up let's encrypt on a load balancer written in Go, I tried both the automatic and manual setup but I always get errors.

The domain is pointing correctly to our server (Digital Ocean) and I can even open the site from a browser without errors, also an ssl check report no errors on this domain. The fact is that when I run the Go executable on server from CLI I get errors repeatedly.

  1. Automatic (acme/autocert) setup:

The server code is that, the certificate and the key are created when I look at the domain from a browser for the first time after the server start:

    go func() {
        log.Printf("Staring HTTP service on %s ...", ":80")

        http.HandleFunc("/*", http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
            http.Redirect(w, r, "https://" + app.Cfg.S_HOST + ":443" + r.RequestURI, http.StatusMovedPermanently)
        }))

        if err := http.ListenAndServe(":80", nil); err != nil {
            errs <- err
        }

    }()



    log.Printf("Staring HTTPS service on %s ...", ":443")

    http.HandleFunc("/hello", http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Content-Type", "text/plain")
        w.Write([]byte("This is an example server.\n"))
    }))


    certManager := autocert.Manager{
        Prompt:     autocert.AcceptTOS,
        HostPolicy: autocert.HostWhitelist(app.Cfg.S_HOST), //your domain here
        Cache:      autocert.DirCache("certs"), //folder for storing certificates
    }

    server := &http.Server{
        Addr: ":443",
        TLSConfig: &tls.Config{
            ServerName: app.Cfg.S_HOST,
            GetCertificate: certManager.GetCertificate,
        },
    }

    if err := server.ListenAndServeTLS("", ""); err != nil {
        print(err.Error())
    } //key and cert are comming from Let's Encrypt

I get those errors:

  1. http: TLS handshake error from (ip):59451: read tcp (myserver IP):443->(ip):59451: read: connection reset by peer

  2. hello.ServerName empty:2017/04/01 17:14:38 http: TLS handshake error from (ip):58193: acme/autocert: missing server name

  3. http: TLS handshake error from (ip):45822: acme/autocert: host not configured

  4. http: TLS handshake error from (ip):58440: EOF

Then I tried also creating the certificate manually (succesfully) and simply using that code and I get errors again and again:

The server code is:

    go func() {
        log.Printf("Staring HTTP service on %s ...", ":80")

        http.HandleFunc("/*", http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
            http.Redirect(w, r, "https://" + app.Cfg.S_HOST + ":443" + r.RequestURI, http.StatusMovedPermanently)
        }))

        if err := http.ListenAndServe(":80", nil); err != nil {
            errs <- err
        }

    }()



    log.Printf("Staring HTTPS service on %s ...", ":443")

    http.HandleFunc("/hello", http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Content-Type", "text/plain")
        w.Write([]byte("This is an example server.\n"))
    }))


    // ssl["cert"] and ssl["key"] are the cert and key path (letsencrypt/live...)
    if err := http.ListenAndServeTLS(sslAddr, ssl["cert"], ssl["key"], nil); err != nil {
        errs <- err
    }

Errors:

  1. http2: server: error reading preface from client (ip):10319: bogus greeting "POST / HTTP/1.1\r\nHost: 4"

  2. http: TLS handshake error from (ip):10322: EOF

  3. http: TLS handshake error from (ip):13504: read tcp (my server ip):443->(ip):13504: read: connection reset by peer

  4. http2: server: error reading preface from client (ip):9672: timeout waiting for client preface

Can someone help me please? Thanks

Marco M
  • 1,215
  • 12
  • 12
  • 2
    If you have a server on the open internet, you're going to get broken and malformed TLS requests. Are you getting errors with any of your own clients? – JimB Apr 01 '17 at 20:26
  • No it seems, I just tried to refresh the page from chrome and it does not seems to trigger any error... still I get a lot of them anyway, 5-20 x minute... – Marco M Apr 01 '17 at 20:37
  • Have you tried to run the code in http://stackoverflow.com/a/40494806/1465640 and *just* updating with your domain info? And you are sure that you are accessing the server on port 443 – Pylinux Apr 04 '17 at 09:30
  • @Pylinux yes! I tried basically any possible configuration, only 443, 443 + 80, 80 redirect to 443, all this with autocert and also with the manually created certificates. The site works, I've got A+ rating with my actual configuration... my clients work just fine, no errors, and I also get the logo "secure" on both safari and chrome. I just continue to get errors and errors from unknown IPs... I would like to be able to stop the logs at least, anyway I find it very strange, I mean 30 wrong requests per minute??? – Marco M Apr 04 '17 at 13:11
  • 1
    Aaaa, so it works but you're getting erros from some IPs, could it be that old clients are trying to access your site? Golang only supports the new secure encryption protocols: https://github.com/golang/go/issues/3930 – Pylinux Apr 04 '17 at 13:26
  • We're on a hosting platform so yes, I think it's possible that old clients of a service previously parked at this IP continue to send requests... very annoying. – Marco M Apr 04 '17 at 13:44
  • Anyway they comes from different ports also, so may be those are not old clients of this IP... – Marco M Apr 04 '17 at 13:46
  • @MarcoM did you ever find out what was causing these errors? – Duru Can Celasun Jan 03 '18 at 10:52
  • @DuruCanCelasun I had no time to check, it works anyway... I've been busy with other aspects of our backend. I was able to run one instance with Echo framework (which also use let's encrypt) without errors, I will check it eventually. – Marco M Jan 03 '18 at 15:47
  • I'm actually experiencing the same thing, but it actually causes a problem where I can't retrieve my certs from cache any more. – emptyflash Jun 25 '19 at 02:20
  • I have nearly the same on a public IP (golang, I use echo framework and AutoTLSManager). All my clients work fine, SSLLabs gives me A+ rating. But I have tons of such log entries. Have you found a way to stop them without dropping all log entries? – Volker Jul 19 '21 at 09:58

1 Answers1

1

As JimB and others said in the comments, this can be the result of bad requests. Invalid requests will be logged when using https://www.ssllabs.com/ssltest/ to test a site's https configuration. A good test score can give you confidence the log messages are benign and can be safely ignored.

Also the acme/autocert package is evolving rapidly (at Jan 2018), please check your version is up to date.

Mark
  • 6,731
  • 1
  • 40
  • 38