all-in-one icon indicating copy to clipboard operation
all-in-one copied to clipboard

Published 20 hours ago • verified publisher icon nextcloud

Unexpected TLS ClientHello from lighttpd

Open LogSpider opened this issue 2 years ago • 0 comments

Use Nextcloud AIO with docker and portainer, they said It is easy to manage and update, they said

  1. Add Custom Template on portainer as suggested from https://github.com/nextcloud/all-in-one/blob/main/docker-compose.yml
  2. Deploy Stack
  3. Stuck in the middle of nowhere

Ubuntu 22.04 Nextcloud AIO 1.7.0

  • Ubuntu is running on VMware behind pfsense firewall with a normal local network ip 10.10.10.10/24.
  • All needed ports are forwarded (80,443,8080,8443,3478) from cloud.mydomain.com (80.80.80.80) to 10.10.10.10.
  • Reverse DNS / PTR is correctly set. Checking my pub ip with wget -qO - icanhazip.com showing 80.80.80.80.
  • I get the initial setup page with initial password from cloud.mydomain.com:8443.
  • Then https://cloud.mydomain.com:8443/containers appears with Nextcloud AIO v1.7.0.

As soon as i click on submit with entered cloud.mydomain.com a error msg appears with this text The server is not reachable on Port 443. You can verify this e.g. with 'https://portchecker.co/' by entering your domain there as ip-address and port 443 as port.

Okay, lets check this under linux:

root@mycloud:~# fuser -n tcp 443
443/tcp:             240766

root@mycloud:~# ps ax | grep 240766
 240766 ?        Sl     0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip 172.17.0.3 -container-port 443
 241355 pts/0    R+     0:00 grep --color=auto 240766

Okay, that's nextcloud-aio-domaincheck running on port 443.

Port is reachable over portchecker.co. Okay, lets try curl and wget from another host: curl

root@mylab:~$ curl https://cloud.mydomain.com/
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

wget

root@mylab:~$ wget https://cloud.mydomain.com/
--2022-08-11 09:10:36--  https://cloud.mydomain.com/
Auflösen des Hostnamens cloud.mydomain.com (cloud.mydomain.com) … 80.80.80.80
Verbindungsaufbau zu cloud.mydomain.com (cloud.mydomain.com)|80.80.80.80|:443... verbunden.
OpenSSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Es ist nicht möglich, eine SSL-Verbindung herzustellen.

Yay, Firefox show's SSL_ERROR_RX_RECORD_TOO_LONG

Okay, lets look at logs of this Domaincheck Container.

2022-08-11 07:03:26: (server.c.1568) server started (lighttpd/1.4.64)
2022-08-11 07:09:44: (connections.c.717) unexpected TLS ClientHello on clear port (w.x.y.z)
2022-08-11 07:09:44: (connections.c.717) unexpected TLS ClientHello on clear port (w.x.y.z)
2022-08-11 07:10:21: (connections.c.717) unexpected TLS ClientHello on clear port (w.x.y.z)
2022-08-11 07:10:36: (connections.c.717) unexpected TLS ClientHello on clear port (w.x.y.z)
2022-08-11 07:14:27: (connections.c.717) unexpected TLS ClientHello on clear port (w.x.y.z)
2022-08-11 07:14:27: (connections.c.717) unexpected TLS ClientHello on clear port (w.x.y.z)

Okay, i really like to understand what is going wrong, i repeated everything 100 times last days before writing an issue. It is reall frustrating.

LogSpider avatar Aug 11 '22 07:08 LogSpider