I have one site deployed on AWS Rosa. This site is secured with https protocol. I am trying to create Route53 healthcheck for that site. The Route53 healthcheck fails stating reason -
Failure: Resolved IP: x.x.x.x. SSL communication failure: Received fatal alert: protocol_version
However I am able to access the site on browser.
As mentioned at-
https://aws.amazon.com/premiumsupport/knowledge-center/route-53-fix-unhealthy-health-checks/
following curl command returns me httpcode 200 and response time less than 1 second
curl -Ik -w "HTTPCode=%{http_code} TotalTime=%{time_total}\n" <http/https>://<domain-name/ip address>:<port>/<path> -so /dev/null
Also when I was trying to run same command with old curl version, I was getting error -
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
The error from Route53 also shows protocol version. Not sure if these 2 are related.
Anyone came across this issues , any pointers will be highly appreciated.
If site URL is accessible over browser, then Route53 health check should return healthy state
Related
I am trying to install the datadog agent on Azure databricks using the steps mentioned in https://docs.datadoghq.com/integrations/databricks/?tab=allnodes
But while executing the init script, it fails with this error : "curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s3.amazonaws.com:443".
Tried installing the agent with python package 'datadog', still the issue persists relevant to SSL.
Please let know if there is a fix for this?
Regards.
This error message indicates that there was a system call error during an SSL connection to the Amazon S3 endpoint (s3.amazonaws.com:443). Here are a few possible solutions that might help resolve this issue:
Check your internet connection: Ensure that your machine has a stable internet connection and that it is not being blocked by a firewall or proxy.
Update OpenSSL: Make sure that you have the latest version of OpenSSL installed on your machine. Updating OpenSSL can sometimes resolve SSL-related errors.
Check your network settings: If you are behind a firewall or proxy, ensure that the firewall or proxy is not blocking access to the Amazon S3 endpoint (s3.amazonaws.com:443).
Verify the endpoint: Double-check the endpoint URL to ensure that it is correct and that you are using the correct protocol (https).
If the above steps do not resolve the issue, you may need to contact Datadog support for further assistance.
I am trying to configure mesibo communication services On-Premise Deployment and tried to deploy while backend application using docker - FastCGI - NGINX. I have followed the below URL https://mesibo.com/documentation/on-premise/#hosting-mesibo-backend-apis Please see the title "Hosting mesibo backend APIs". I have used the 11443 port to deploy the application in the docker.
While checking the command sudo netstat -ltnp getting the following output. So the process is running correctly.
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 267497/mysqld
tcp 0 0 0.0.0.0:11443 0.0.0.0:* LISTEN 535097/backend
When I try to run the command
curl http://0.0.0.0:11443 => getting error as "curl: (56) Recv failure: Connection reset by peer"
Please help me to get out of this issue.
========= Found the Issue - But it may be help someone
run the command 'ifconfig' to find the docker ip address. then try the curl command with that ip address.
Please note, mesibo DOES NOT have any web server so you can't use curl directly.
Refer to this document
https://mesibo.com/documentation/on-premise/#hosting-mesibo-backend-apis
It clearly says you should configure and point to your web server. In turn, your web server will connect to the mesibo FastCGI server. From the above doc
you need to configure a URL on your webserver to access backend APIs.
Any API request received on this URL should be forwarded to the mesibo
backend FastCGI server at the port specified in the command, port 5000
in above example.
Please follow the document and configure a URL on your web server and then curl to that URL.
I've a Python 3 Flask app running in an ECS cluster. The Flask app is configured to run in SSL mode. The app can't be accessed via the ALB Cname, as it generates connection refused as seen here -
curl -Il https://tek-app.example.com/health
curl: (7) Failed to connect to tek-app.example.com port 443: Connection refused
When the ALB is hit directly and ignoring the SSL cert exception, it works as seen here -
curl -Il -k https://tek-w-appli-1234.eu-west-1.elb.amazonaws.com/health
HTTP/2 200
date: Sun, 24 Feb 2019 14:49:27 GMT
content-type: text/html; charset=utf-8
content-length: 9
server: Werkzeug/0.14.1 Python/3.7.2
I understand the main recommendation is to run it behind a Nginx or Apache proxy and to set the X-Forward headers via their configs, but I feel this is over engineering the solution.
I've also tried enabling the following in the app -
from werkzeug.contrib.fixers import ProxyFix
...
app = Flask(__name__)
app.wsgi_app = ProxyFix(app.wsgi_app)
...
And this fix now produces the correct source IP's in the Cloudwatch logs, but doesn't allow connections via the ALB Cname.
Is there something simple that I'm missing here?
Reply to first answer
Thank you - the Cname is pointing to the correct ALB. I ran into a similar issue two weeks back with an Apache server, and the fix was to ensure X-Forward-Proto was in use in the Apache vhosts.conf file. So I'm thinking this may be something similar.
I did it again - while developing locally I edited my /etc/hosts file to have a local entry to play with. Then when the Flask app was pushed to the cloud and tested from the same desktop, it was referencing the local DNS entry as opposed to the public equivalent, thus the connection refused. With the local entry removed, all is now working.
I'm new in Cloud Foundry and I decided to try it. I deployed BOSH to azure using docs https://github.com/cloudfoundry-incubator/bosh-azure-cpi-release/blob/master/docs/guidance.md
Everything was passed well. Now I'm trying to deploy my first application and I'm having problems. I'm using this doc
https://github.com/cloudfoundry-incubator/bosh-azure-cpi-release/blob/master/docs/get-started/push-demo-app.md.
I can't pass the first step:
adminCF#cf-test:~$ cat ~/settings | grep cf-ip
"cf-ip": "104.40.216.252",
adminCF#cf-test:~$ cf login -a https://api.104.40.216.252.xip.io --skip-ssl-validation
API endpoint: https://api.104.40.216.252.xip.io
FAILED Error performing request: Get https://api.104.40.216.252.xip.io/v2/info: dial tcp
104.40.216.252:443: i/o timeout TIP: If you are behind a firewall and require an HTTP proxy, verify the https_proxy environment variable is correctly set. Else, check your network connection.
adminCF#cf-test:~$ cf login -a https://api.104.40.216.252.xip.io --skip-ssl-validation
-u admin -p ******
API endpoint: https://api.104.40.216.252.xip.io
FAILED Error performing request: Get https://api.104.40.216.252.xip.io/v2/info: dial tcp
104.40.216.252:443: i/o timeout TIP: If you are behind a firewall and require an HTTP proxy, verify the https_proxy environment variable is correctly set. Else, check your network connection.
adminCF#cf-test:~$
I have a NodeJS app on ubuntu EC2 with dokku. My domain is pointing on server with wildcard and I have a SSL certificate with wildcard as well. Some time ago I added keys to dokku in app/tls/. Back then I had two apps online, production and staging. The last created on dokku (created, deployed) was intercepting all requests to host so api.my.domain and api-stage.my.domain and blah and whatever. If I typed http:// then there was no redirect. Deadline was close so I wasn't fighting with it anymore and I just made production to be the one who intercepts everything. Today I had problems with deployment, I've seen rejects over and over. I've deleted some plugins including not used anywhere dokku-domains, restarted docker few times run this command:
sudo wget -O /etc/init/docker.conf https://raw.github.com/dotcloud/docker/master/contrib/init/upstart/docker.conf
and there was no rejects anymore but... all requests to host returns 502 Bad Gateway. and there was no rejects anymore but... all requests to host returns 502 Bad Gateway including those with green padlock. I remember that previously when app was during deployment there was some info about configuring SSL, now there is none. After deleting an app and creating from scratch there is no nginx.conf file and SSL doesn't work at all.