Refuse to establish TLS connection, ask some help , appreciate #6879

andylau004 · 2024-04-01T07:55:57Z

andylau004
Apr 1, 2024

Prerequisites

I have checked the Wiki and Discussions and found no answer
I have searched other issues and found no duplicates
I want to report a bug and not ask a question or ask for help
I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Linux, AMD64 (aka x86_64)

Installation

Other (please mention in the description)

Setup

On one machine

AdGuard Home version

master

Action

pull master adGuardHome code, and build it, my tst adguardhome server: https://www.bxydoh.com.cn
my adguardhome crt:

when i access https://www.bxydoh.com.cn/#logs
my adGuardhome server print log ,like below

2024/04/01 15:40:45.028081 41270#3875 [debug] web: https: http: TLS handshake error from 218.241.161.59:53242: read tcp 172.17.153.177:443->218.241.161.59:53242: read: connection reset by peer

but use https://ip:port/#logs ,that is ok and show work log . but browse address bar have no green lock icon,, ,always red alert
my https 443 port , CipherSuites =

141:2024/04/01 14:10:11.651475 41270#4 [info] tls ciper suite: [TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256]

anyone have encountered this problem before, give some advise
thks for your reply

Expected result

expect to see ,, from browse addres access correct ,,by browse and http client,

Actual result

Additional information and/or screenshots

Bad result from browse access

good result from browse access

Answered by Cebeerre

Apr 2, 2024

Let me move this to a discussion, as I guess it makes more sense. Thanks !

View full answer

andylau004 · 2024-04-01T09:06:27Z

andylau004
Apr 1, 2024
Author

my pcap (when browse access url: https://www.bxydoh.com.cn)

tls-handleshake.tar.gz

0 replies

xRuffKez · 2024-04-01T18:17:53Z

xRuffKez
Apr 1, 2024

Are your root ca up to date? Have you added yours issuers ca to your system too?

0 replies

andylau004 · 2024-04-02T01:50:30Z

andylau004
Apr 2, 2024
Author

Are your root ca up to date? Have you added yours issuers ca to your system too?您的根目录是最新的吗？您是否也已将发行人 ca 添加到您的系统中？

you mean , add my tst adguardhome server 's certficate ca root crt into my local machine os ?

0 replies

andylau004 · 2024-04-02T01:56:48Z

andylau004
Apr 2, 2024
Author

Are your root ca up to date? Have you added yours issuers ca to your system too?您的根目录是最新的吗？您是否也已将发行人 ca 添加到您的系统中？

when my tst_adguardhome_server recv tls handleshake ---> client hello, then response RST and disconnect connection
... noway...

just use https://ip:port/#logs just ok ..

mabe it's related to the domain name,,,or common name in server's cert

0 replies

xRuffKez · 2024-04-02T13:30:25Z

xRuffKez
Apr 2, 2024

I mean your Domains certificate.
Do you use certbot (letsencrypt)?

Here is an easy way to setup a certificate:
https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04

Is your Certificate self signed or do you use a certificate from an issuer?
If you use a selfsigned certificate, you need to install your root ca on the client, which want to connect to your dns server.

Is your certificate from an issuer, it might be untrusted by the root ca of your mashine, which is hosting adguard home. Then you need to install the root certificate (NOT that certificate that you use on adguard) on your system.

How have you generated your certificate? Maybe i can think better into your problem.

2 replies

andylau004 Apr 11, 2024
Author

Thank you for your reply, great way to apply for the certificate
i wil use it for myserver,

xRuffKez Apr 24, 2024

Has it worked?

xRuffKez · 2024-04-02T13:36:54Z

xRuffKez
Apr 2, 2024

when my tst_adguardhome_server recv tls handleshake ---> client hello, then response RST and disconnect connection\n... noway...

Sounds like failed handshake, because public key is not known or not trusted and cannot decrypt or validate the certificate.

0 replies

xRuffKez · 2024-04-02T13:47:28Z

xRuffKez
Apr 2, 2024

0 replies

xRuffKez · 2024-04-02T13:56:24Z

xRuffKez
Apr 2, 2024

Maybe wrong .pem file selected in adguard home?

0 replies

bcookatpcsd · 2024-04-02T16:51:58Z

bcookatpcsd
Apr 2, 2024

from vultr..

* Host www.bxydoh.com.cn:443 was resolved.
* IPv6: (none)
* IPv4: 47.121.29.24
*   Trying 47.121.29.24:443...
* Connected to www.bxydoh.com.cn (47.121.29.24) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* Recv failure: Connection reset by peer
* OpenSSL SSL_connect: Connection reset by peer in connection to www.bxydoh.com.cn:443
* Closing connection
curl: (35) Recv failure: Connection reset by peer

ssh audit works.. so we have valid 22/tcp..

8< -- SNIP -- >8

grep fail
(kex) ecdh-sha2-nistp256                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(key) ecdsa-sha2-nistp256                   -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency

working with lego.. @andylau004

https://github.com/go-acme/lego

curl -v -I https://47.121.29.24 -k

8< -- SNIP -- >8

* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=www.bxydoh.com.cn
*  start date: Apr  1 00:00:00 2024 GMT
*  expire date: Jun 30 23:59:59 2024 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Encryption Everywhere DV TLS CA - G2
!! --> *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2

Can you generate self signed and load those..

Looks like the intermediate cert isn't there..

1 reply

andylau004 Apr 12, 2024
Author

vim AdGuardHome.yaml

certificate_path: /etc/letsencrypt/archive/bxydoh.com.cn-0002/fullchain1.pem

fullchain1.pem content ,,,,

and web check is correct ,,

but browse always wrong..

conclusion

the problem still exist
https://www.bxydoh.com.cn not work.
ip:port is ok ,and browse no green lock.

@xRuffKez @bcookatpcsd

xRuffKez · 2024-04-02T17:51:48Z

xRuffKez
Apr 2, 2024

Looks like the intermediate cert isn't there..

Thats also my guess. Either wrong .pem or intermediate cert is not set in the sys ca storage

1 reply

andylau004 Apr 12, 2024
Author

mac os ,already import letsencrypt middle, root cert.

I was so confused

Cebeerre · 2024-04-02T18:46:41Z

Cebeerre
Apr 2, 2024
Collaborator

Let me move this to a discussion, as I guess it makes more sense. Thanks !

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Refuse to establish TLS connection, ask some help , appreciate #6879

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 11 comments 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Refuse to establish TLS connection, ask some help , appreciate #6879

Prerequisites

Platform (OS and CPU architecture)

Installation

Setup

AdGuard Home version

Action

Expected result

Actual result

Additional information and/or screenshots

Replies: 11 comments · 4 replies

andylau004 Apr 1, 2024 Author

andylau004 Apr 2, 2024 Author

andylau004 Apr 2, 2024 Author

andylau004 Apr 11, 2024 Author

andylau004 Apr 12, 2024 Author

andylau004 Apr 12, 2024 Author

Cebeerre Apr 2, 2024 Collaborator

Replies: 11 comments 4 replies

andylau004
Apr 1, 2024
Author

andylau004
Apr 2, 2024
Author

andylau004
Apr 2, 2024
Author

andylau004 Apr 11, 2024
Author

andylau004 Apr 12, 2024
Author

andylau004 Apr 12, 2024
Author

Cebeerre
Apr 2, 2024
Collaborator