lua-resty-acme icon indicating copy to clipboard operation
lua-resty-acme copied to clipboard
verified publisher icon fffonion

Nginx alerts "ignoring stale global SSL error (SSL: error:068000DE:asn1 encoding routines::illegal zero content)"

Open DoobleD opened this issue 1 year ago • 3 comments

I'm seeing quite a lot of the following alerts in Nginx logs:

[alert] 721#721: *16748745 ignoring stale global SSL error (SSL: error:068000DE:asn1 encoding routines::illegal zero content), context: XXX

Where XXX is either ssl_certificate_by_lua* or ngx.timer, the latter occuring much more often.

I'm not sure how to investigate this further though, in particular because I don't see the domains that generate these errors in the logs. Any ideas what the issue could be?

DoobleD avatar Oct 22 '24 08:10 DoobleD

Not sure if that helps but the version with ssl_certificate_by_lua*:

ignoring stale global SSL error (SSL: error:068000DE:asn1 encoding routines::illegal zero content), context: ssl_certificate_by_lua*

happens once a day every day at 00:00 UTC. It could be related to some timer or recurring task. I thought perhaps the renew interval, but I'm using the default one which is every 6 hours if I'm not mistaken (based on the docs).

DoobleD avatar Nov 14 '24 09:11 DoobleD

It's caused by an error that are previously thrown not properly cleared. It could be from this library or any other that uses openssl, as the error stack is shared. While it can be safely ignored as the occurance of the error is always from the past, I'm not sure where this could come from 🤔

fffonion avatar Nov 29 '24 17:11 fffonion

Thank you for your reply @fffonion.

I enabled debug logs to get more info, but it didn't seem very helpful. The only consistent thing is that an HTTP connection to acme-v02.api.letsencrypt.org is logged before the error is:

@40000000674f1d54216abbc5.s-2024-12-03 14:58:54.687030956  2024/12/03 14:58:54 [debug] 3372369#3372369: *80595430 [lua] http_connect.lua:253: connect(): poolname: https:acme-v02.api.letsencrypt.org:443:true:acme-v02.api.letsencrypt.org:true:::
@40000000674f1d54216abbc5.s:2024-12-03 14:58:54.687268030  2024/12/03 14:58:54 [alert] 3372369#3372369: *80595430 ignoring stale global SSL error (SSL: error:068000DE:asn1 encoding routines::illegal zero content), context: ssl_certificate_by_lua*, client: 175.157.40.19, server: 0.0.0.0:443

Not sure this really helps. Also, I was mistaken when I said that the error happens at 00:00 UTC once a day. It actually happens multiple times everyday at random times, and I was just notified of it at 00:00.

If these errors are benign in reality, I'll ignore them for now.

DoobleD avatar Dec 03 '24 15:12 DoobleD