Upload Failure: SSL handshake failure

[MattRCole]

Remarkable software version: 2.5.0.27 Oxide version: 2.2.2 (I think) Setup:

• rmfakecloud: Docker image
• rmfakecloud-proxy: automatic installer
• Using nginx reverse proxy for SSL

I've been trying to figure why I'm seeing SSL handshake failure in the xochitl logs, but I'm stumped. I would really appreciate help, even though I'm sure the problem is somewhere in my setup and not actually in rmfakecloud

I'll try and include all relevant information.

Here are the logs that I'm seeing from rmfakecloud:

time="2021-11-19T21:57:29Z" level=debug msg="[requestlogging-middleware] body:  [\n    {\n        \"ID\": \"5f75f605-78e0-40df-b586-6aef5cc7964d\",\n        \"Parent\": \"b0ac418c-7fa1-4de6-9039-080c495375b6\",\n        \"Type\": \"DocumentType\",\n        \"Version\": 1\n    }\n]\n"
time="2021-11-19T21:57:29Z" level=info msg="[auth-middleware] UserId: [user id][email protected] deviceId: [device id] newSync: false"
time="2021-11-19T21:57:29Z" level=debug msg="uploadUrl:  https://remarkable.[mydomain].com"
time="2021-11-19T21:57:29Z" level=debug msg="StorageUrl:  https://remarkable.[mydomain].com/storage/eyJhbGciOiJIUzI1NiIsImtpZCI6IjEiLCJ0eXAiOiJKV1QifQ.eyJkb2N1bWVudElkIjoiNWY3NWY2MDUtNzhlMC00MGRmLWI1ODYtNmFlZjVjYzc5NjRkIiwidXNlcklkIjoibWF0dGhld3JpY2hhcmRjb2xlQGdtYWlsLmNvbSIsImF1ZCI6InN0b3JhZ2UiLCJleHAiOjE2MzczNTkzNDl9.FRsf_8CTyPL1-onwa0wvkQQvuc9gQdvDhKhyuFT_LoY"
time="2021-11-19T21:57:29Z" level=info msg="[GIN] 2021/11/19 - 21:57:29 | 200 |     588.505µs |     172.18.0.11 | PUT      \"/document-storage/json/2/upload/request\""
time="2021-11-19T21:57:30Z" level=debug msg="[requestlogging-middleware] body:  "
time="2021-11-19T21:57:30Z" level=info msg="Requested: document-storage\n"
time="2021-11-19T21:57:30Z" level=info msg="[GIN] 2021/11/19 - 21:57:30 | 200 |     147.113µs |     172.18.0.11 | GET      \"/service/json/1/document-storage?environment=production&group=matthewrichardcole%40gmail.com&apiVer=2\""
time="2021-11-19T21:57:31Z" level=debug msg="[requestlogging-middleware] body:  [\n    {\n        \"ID\": \"9ea7672a-b5df-4986-b7fd-c1762f949b8b\",\n        \"Parent\": \"3955e1ae-333a-43cf-97f6-4af659bcacc8\",\n        \"Type\": \"DocumentType\",\n        \"Version\": 1\n    }\n]\n"
time="2021-11-19T21:57:31Z" level=info msg="[auth-middleware] UserId: [user id]@gmail.com deviceId: [device id] newSync: false"
time="2021-11-19T21:57:31Z" level=debug msg="uploadUrl:  https://remarkable.[mydomain].com"
time="2021-11-19T21:57:31Z" level=debug msg="StorageUrl:  https://remarkable.[mydomain].com/storage/eyJhbGciOiJIUzI1NiIsImtpZCI6IjEiLCJ0eXAiOiJKV1QifQ.eyJkb2N1bWVudElkIjoiOWVhNzY3MmEtYjVkZi00OTg2LWI3ZmQtYzE3NjJmOTQ5YjhiIiwidXNlcklkIjoibWF0dGhld3JpY2hhcmRjb2xlQGdtYWlsLmNvbSIsImF1ZCI6InN0b3JhZ2UiLCJleHAiOjE2MzczNTkzNTF9.KXG24KlHo8fmBLD5tpqpr9PScr05N1xGc94LZ5zG4iQ"
rmfakecloud_1        | time="2021-11-19T21:57:31Z" level=info msg="[GIN] 2021/11/19 - 21:57:31 | 200 |     539.628µs |     172.18.0.11 | PUT      \"/document-storage/json/2/upload/request\""

Here's rmfakecloud-proxy's startup command ExecStart=/home/root/rmfakecloud/rmfake-proxy -cert /home/root/rmfakecloud/proxy.bundle.crt -key /home/root/rmfakecloud/proxy.key https://remarkable.[mydomain].com

I'll attach the xochitl logs as a file because they are long and mostly consist of logs very similar to the following:

Warning: Error during upload of file "/home/root/.local/share/remarkable/xochitl/e01120d5-fde1-4710-ba14-41d52645a479_0.zip" "SSL handshake failed" (:0, )

xochitl-logs.txt

Here's my NGINX config for this server:

server {
  listen 443 ssl;
  server_name remarkable.[mydomain].com;

  client_max_body_size 0;

  ssl_certificate         /etc/letsencrypt/live/remarkable.[mydomain].com/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/remarkable.[mydomain].com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/remarkable.[mydomain].com/chain.pem;

  ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;

    proxy_pass http://rmfakecloud:3000;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade; #variable defined in the main nginx.conf file to be `upgrade` when appropriate, and `close` when the `Upgrade` header is empty

    proxy_read_timeout 1d;
    proxy_send_timeout 1d;
  }
}

Here's an exerpt of my nginx logs:

nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:37 +0000] "GET /service/json/1/document-storage?environment=production&group=[userid]&apiVer=2 HTTP/2.0" 200 42 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:38 +0000] "PUT /document-storage/json/2/upload/request HTTP/2.0" 200 456 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:39 +0000] "GET /service/json/1/document-storage?environment=production&group=[userid]&apiVer=2 HTTP/2.0" 200 42 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:40 +0000] "PUT /document-storage/json/2/upload/request HTTP/2.0" 200 457 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:41 +0000] "GET /service/json/1/document-storage?environment=production&group=[userid]&apiVer=2 HTTP/2.0" 200 42 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:42 +0000] "PUT /document-storage/json/2/upload/request HTTP/2.0" 200 457 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:43 +0000] "GET /service/json/1/document-storage?environment=production&group=[userid]&apiVer=2 HTTP/2.0" 200 42 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:44 +0000] "PUT /document-storage/json/2/upload/request HTTP/2.0" 200 457 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:47 +0000] "GET /service/json/1/document-storage?environment=production&group=[userid]&apiVer=2 HTTP/2.0" 200 42 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:48 +0000] "PUT /document-storage/json/2/upload/request HTTP/2.0" 200 457 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:49 +0000] "GET /service/json/1/document-storage?environment=production&group=[userid]&apiVer=2 HTTP/2.0" 200 42 "-" "xochitl/2.5.0.27 (codex 2.5.2)"
nginx-certbot_1      | 192.168.1.1 - - [20/Nov/2021:03:49:50 +0000] "PUT /document-storage/json/2/upload/request HTTP/2.0" 200 457 "-" "xochitl/2.5.0.27 (codex 2.5.2)"

[MattRCole]

~~Wait, do I need to copy the ssl cert files from nginx to the tablet?~~

Okay, so, I will admit to moments of stupidity, I did not read the very helpful troubleshooting in the readme before posting.

Most everything works when running the troubleshooting steps, the following steps fail, and I'm not sure why:

wget -O- https://local.appspot.com returns the following:

ERROR: cannot verify local.appspot.com's certificate, issued by 'CN=rmfakecloud':
  Self-signed certificate encountered.

and

ping local.remarkable.com returns: bad address 'local.remarkable.com'

All other checks return the expected results, even echo Q | openssl s_client -connect localhost:443 -verify_hostname local.appspot.com -CAfile /etc/ssl/certs/ca-certificates.crt 2>&1 | grep Verify returns Verify return code: 0 (ok)

[MattRCole]

Also, running QT_LOGGING_RULES=xochitl.*=true xochitl | grep -A3 QUrl only showed variations on the following 2 logs:

36:16.154 xochitl.network.client   Http::PUT QUrl("https://local.appspot.com:443/document-storage/json/2/upload/request")
36:16.228 xochitl.network.client   Http::PUT QUrl("https://remarkable.[my domain].com/storage/eyJhbGciOiJIUzI1NiIsImtpZCI6IjEiLCJ0eXAiOiJKV1QifQ.eyJkb2N1bWVudElkIjoiZDVkYjg4OWUtMzVkYi00MjdiLWFmMDAtNTM3MzZjZjIwYWMwIiwidXNlcklkIjoibWF0dGhld3JpY2hhcmRjb2xlQGdtYWlsLmNvbSIsImF1ZCI6InN0b3JhZ2UiLCJleHAiOjE2MzczOTQwNzZ9.JiqT0JRh3kNGCdUj3XH1rvDrwgU22ZwbccHDKFibNeQ")
36:16.263 xochitl.network.document.uploaderError during upload of file "/home/root/.local/share/remarkable/xochitl/d5db889e-35db-427b-af00-53736cf20ac0_0.zip" "SSL handshake failed"
36:16.264 xochitl.network.document.uploaderUpload file finished "Books" "d5db889e-35db-427b-af00-53736cf20ac0"
36:16.264 xochitl.network.document.uploaderUpload file failed "Books" "d5db889e-35db-427b-af00-53736cf20ac0"
--
36:17.167 xochitl.network.client   Http::GET QUrl("https://service-manager-production-dot-remarkable-production.appspot.com:443/service/json/1/document-storage?environment=production&group=[user id]&apiVer=2")
36:17.168 xochitl.network.document.uploaderNo document storage host yet, trying again later
36:17.168 xochitl.network.client   Already fetching AbstractNetworkClient::Service(DocumentStorage)
36:17.169 xochitl.network.document.uploaderNo document storage host yet, trying again later

[ddvk]

did you se the STORAGE_URL env variable?

[MattRCole]

Yes. Here's my docker-compose.yml

services:
  rmfakecloud:
    image: ddvk/rmfakecloud
    restart: unless-stopped
    ports:
      - '3000:3000'
    volumes:
      - remarkable:/data
    environment:
      - STORAGE_URL=https://remarkable.[my domain].com
      - RMAPI_HWR_APPLICATIONKEY=${RMAPI_HWR_APPLICATIONKEY}
      - RMAPI_HWR_HMAC=${RMAPI_HWR_HMAC}
      - RM_SMTP_SERVER=${RM_SMTP_SERVER}
      - RM_SMTP_USERNAME=${RM_SMTP_USERNAME}
      - RM_SMTP_PASSWORD=${RM_SMTP_PASSWORD}
      - RM_SMTP_FROM=${RM_SMTP_FROM}
      - JWT_SECRET_KEY=${RM_JWT_SECRET_KEY}

volumes:
  remarkable:

[ddvk]

when you try this? echo Q | openssl s_client -connect remarkable.[my domain].com:443 -verify_hostname remarkable.[my domain].com -CAfile /etc/ssl/certs/ca-certificates.crt 2>&1 | grep Verify

also, as quick test: can you set: STORAGE_URL=https://local.appspot.com