Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/acme/autocert: Error http: TLS handshake error from <ip>:<port>: Head "": unsupported protocol scheme "" trying to connect to letsencrypt's pebble #39284

Open
tofsme opened this issue May 27, 2020 · 1 comment
Open

x/crypto/acme/autocert: Error http: TLS handshake error from <ip>:<port>: Head "": unsupported protocol scheme "" trying to connect to letsencrypt's pebble #39284

tofsme opened this issue May 27, 2020 · 1 comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@tofsme
Copy link

tofsme commented May 27, 2020
edited

What version of Go are you using (go version)?

$ go version
go version go1.10.8 linux/amd64

Does this issue reproduce with the latest release?

Yes. It happens with: go version go1.14.3 linux/amd64

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/tofs/.cache/go-build"
GOENV="/home/tofs/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/tofs/Private/production/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build170790492=/tmp/go-build -gno-record-gcc-switches"

What did you do?

  • pebble is a lightweight implementation of an ACME server, for e2e testing purposes. It's available here: https://github.com/letsencrypt/pebble
  • this is running inside a docker container with wget pre-installed

I added "example.org" to /etc/hosts pointing to the docker container's ip address.
I moved pebble test certificate to /etc/ssl/certs/ca-certificates.crt
I started pebble with:
PEBBLE_VA_ALWAYS_VALID=1 ./pebble -strict

I started a https server in the same container running this code:

import (
	"crypto/rsa"
	"golang.org/x/crypto/acme"
	"golang.org/x/crypto/acme/autocert"
	"log"
	"math/rand"
	"net/http"
	"time"
)

func main() {
	key, err := rsa.GenerateKey(rand.New(rand.NewSource(time.Now().UnixNano())), 2048)
	client := &acme.Client{DirectoryURL: "https://localhost:14000/dir", Key: key}
	m := &autocert.Manager{
		Cache:      autocert.DirCache("secret-dir"),
		Prompt:     autocert.AcceptTOS,
		HostPolicy: autocert.HostWhitelist("example.org", "www.example.org"),
		Client:     client,
	}
	if err != nil {
		log.Fatal(err)
	}
	s := &http.Server{
		Addr:      ":https",
		TLSConfig: m.TLSConfig(),
	}
	s.ListenAndServeTLS("", "")
}

I issued a call using wget to https://example.org

What did you expect to see?

A 404 - page not found error

What did you see instead?

  • wget output:
    --2020-05-27 21:30:28-- https://example.org/
    Resolving example.org (example.org)... 172.17.0.4
    Connecting to example.org (example.org)|172.17.0.4|:443... connected.
    GnuTLS: A TLS fatal alert has been received.
    GnuTLS: received alert [80]: Internal error
    Unable to establish SSL connection.

  • https server log (stderr):
    2020/05/27 21:30:28 http: TLS handshake error from 172.17.0.4:53518: Head "": unsupported protocol scheme ""

  • pebble output:
    Pebble 2020/05/27 21:30:28 GET /dir -> calling handler()
    Pebble 2020/05/27 21:30:28 HEAD /dir -> calling handler()
@tofsme tofsme changed the title Error http: TLS handshake error from 172.17.0.1:55568: Head "": unsupported protocol scheme "" trying to connect to letsencrypt's pebble x/crytpo/acme/autocert: Error http: TLS handshake error from 172.17.0.1:55568: Head "": unsupported protocol scheme "" trying to connect to letsencrypt's pebble May 27, 2020
@gopherbot gopherbot added this to the Unreleased milestone May 27, 2020
@tofsme tofsme changed the title x/crytpo/acme/autocert: Error http: TLS handshake error from 172.17.0.1:55568: Head "": unsupported protocol scheme "" trying to connect to letsencrypt's pebble x/crypto/acme/autocert: Error http: TLS handshake error from 172.17.0.1:55568: Head "": unsupported protocol scheme "" trying to connect to letsencrypt's pebble May 27, 2020
@tofsme tofsme changed the title x/crypto/acme/autocert: Error http: TLS handshake error from 172.17.0.1:55568: Head "": unsupported protocol scheme "" trying to connect to letsencrypt's pebble x/crypto/acme/autocert: Error http: TLS handshake error from <ip>:<port>: Head "": unsupported protocol scheme "" trying to connect to letsencrypt's pebble May 27, 2020
@andybons andybons added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label May 28, 2020
@andybons
Copy link
Member

@FiloSottile @katiehockman

@andybons andybons modified the milestones: Unreleased, Unplanned May 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
3 participants
@andybons @gopherbot @tofsme