EtcherPro Error Opening Source

We are getting a SSL error even with our certs completely fine:

Something went wrong while opening https://etcher-source.int.gwa-hygiene.de/lln-latest.img

Error: certificate has expired

The nginx on the other side has following logs for this occasion:

2022/11/21 14:20:22 [crit] 855711#855711: *23368 SSL_do_handshake() failed (SSL: error:0A000126:SSL routines::unexpected eof while reading) while SSL handshaking, client: 172.16.0.246, server: 0.0.0.0:443
2022/11/21 14:20:23 [crit] 855711#855711: *23369 SSL_do_handshake() failed (SSL: error:0A000126:SSL routines::unexpected eof while reading) while SSL handshaking, client: 172.16.0.246, server: 0.0.0.0:443
2022/11/21 14:20:31 [crit] 855711#855711: *23370 SSL_do_handshake() failed (SSL: error:0A000126:SSL routines::unexpected eof while reading) while SSL handshaking, client: 172.16.0.246, server: 0.0.0.0:443
2022/11/21 14:20:31 [crit] 855711#855711: *23371 SSL_do_handshake() failed (SSL: error:0A000126:SSL routines::unexpected eof while reading) while SSL handshaking, client: 172.16.0.246, server: 0.0.0.0:443

The Certificate is valid and works in a normal browser:

Really hoping on some quick help here…

Our Production Campagin relies on the ability to flash from urls

@mpous do you have a idea of whats going on here?

Hi Markus
I’d like to ask you for some extra data because we can’t access that server - I’m assuming it’s on a local net. If you could try from any machine on the same network that can run openssl( linux, macos ) the following command to debug the SSl handshake:
openssl s_client -showcerts -connect etcher-source.int.gwa-hygiene.de:443

Can you also try curl https://etcher-source.int.gwa-hygiene.de/lln-latest.img from another machine?

Also, which OS is the server running, and which version of nginx? There are some reports related to that error message to an outdated nginx version.

Ramiro

1 Like

Hi @ramirogm
here are some more details about the situation.

You are correct with your guess that you wont be able to reach this webserver because it is only reachable from within our lan network.

here is the openssl output:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = etcher-source.int.gwa-hygiene.de
verify return:1
---
Certificate chain
 0 s:CN = etcher-source.int.gwa-hygiene.de
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 19 15:24:25 2022 GMT; NotAfter: Feb 17 15:24:24 2023 GMT
-----BEGIN CERTIFICATE-----
MIIFRjCCBC6gAwIBAgISA6sZc2ulkuW2yr1ZIkvuTipxMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjExMTkxNTI0MjVaFw0yMzAyMTcxNTI0MjRaMCsxKTAnBgNVBAMT
IGV0Y2hlci1zb3VyY2UuaW50Lmd3YS1oeWdpZW5lLmRlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA5IpHxu/1MNmpu8o+hnZQJJ0MJpJgWl6shE5+WVFp
TdmmBv2YmT4EHfnEIbO/asdOtIwsRJs/EWNWH/UOYn9PVNa9mv96kWV+JfMRv6+V
PwSYaWftCJXCe56O8m6Rj3r8ljhM9fBfU6SfC1DBRdMjT/pdzrXkYocGY3oWLuXJ
pPpGNVYwtc81nc66PHDWF7V5piKWh0o8Me4oxWer2DMSZLlNzv3m7bnRNRi1FCui
PuZZLH868A4AwIWbreNO5SiwIo7Zzc2yfndkoFd4DRpA4XfW6hlBwqSFo4FwXamN
RfHrYK0TvTG8ybX50h3mevx60pDVv7wTob+TdINWhW3J1wIDAQABo4ICWzCCAlcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAM
BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS5zDdp9hlLn2U/9C0mB4ycYoql+DAfBgNV
HSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYI
KwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0
cDovL3IzLmkubGVuY3Iub3JnLzArBgNVHREEJDAigiBldGNoZXItc291cmNlLmlu
dC5nd2EtaHlnaWVuZS5kZTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLf
EwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCC
AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AHoyjFTYty22IOo44FIe6YQWcDIThU07
0ivBOlejUutSAAABhJC0mXUAAAQDAEgwRgIhAJWbZtdjMWyutrsk+VpfJUZRrwBU
AIq8YLBHoLJmwaXsAiEA5q1qiGABiFVlYKA6U1kC9fHq3Gs+Z33f5KwI/3fuH7MA
dQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYSQtJleAAAEAwBG
MEQCIAiRRhr6UuqMDhx5D+M6xWv82tZCSkfDmaJzaBhFaE/9AiB4fRofB/cKSgPD
LV2N1MoBAqkNnQCfRTPsYH8JeV9+jDANBgkqhkiG9w0BAQsFAAOCAQEAZJr0MXXp
MEP6LBFdOpYmCCM9t/A6uycDmyX+ku4/mksA0+y1eNB51bxqPKdqrb3jYW32ko+D
A8W05D3tZ40J9/UvZnDJ9uEmX/3VHeo3ilupnErSX/iWvtchC9miuv51DT5Pp40K
3jX89g6gNyecSfLoY9s25fYWS2SghcG/zmNRHKEtX+/URi9olmW8VhnIWZT6ogeC
xkzM/DHPO3K6YbJpXezc+ZfvpiotE0meCX1l78DbnTytAfOndFhr3nuuprmSt/rB
1yUn/c5sqS+ENEfVmz3aYjac4xS09hAFOFLnFSjCL4vYszAEbKK6MYIs2TNU5XXL
fHNHwK5V1SYLVQ==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = etcher-source.int.gwa-hygiene.de
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4610 bytes and written 414 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 554F9E4FEACE934BB7633C0271B98DEFC655DB56DD40B3635F50BEA47E2FA4D4
    Session-ID-ctx:
    Resumption PSK: 5765952ABA6880B44BA7ED7124CA5F91CA5D12BA7B879A1B082A117C612342B67F1CB7C50C3F021D209802474E4E4BB1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c0 34 7f 47 4f 18 35 26-fc 73 55 56 29 f3 a8 4b   .4.GO.5&.sUV)..K
    0010 - ba 98 f7 94 b7 4b 3e b2-cd 6f 2f 6d 5a 08 55 49   .....K>..o/mZ.UI
    0020 - dd 89 b1 ed ff 5a f0 b6-87 6e 6b 2d 45 5b c2 bd   .....Z...nk-E[..
    0030 - 62 f4 5f a5 9d d0 86 c4-88 89 58 5a b2 cd 74 1c   b._.......XZ..t.
    0040 - 54 d3 8e 09 19 87 1c 66-96 a8 b6 fe 97 ef 4b 7c   T......f......K|
    0050 - 97 3e 29 03 90 47 a0 07-59 ad 2e ef a0 ea b7 92   .>)..G..Y.......
    0060 - 78 c8 ba 82 ae 50 c6 fb-14 e8 72 b8 75 3c 8c 3b   x....P....r.u<.;
    0070 - 66 10 13 0a fb 4b cb 50-eb 52 79 dc 64 a1 81 01   f....K.P.Ry.d...
    0080 - cb c9 6d 32 38 16 41 0a-b1 00 d0 1d 70 6b 04 d5   ..m28.A.....pk..
    0090 - 17 ce cb 88 57 62 6c 5e-c3 66 38 fd 02 7e b2 cf   ....Wbl^.f8..~..
    00a0 - c7 b1 fa 13 d1 ad 87 0d-0e 7d f1 c6 c2 a7 70 b6   .........}....p.
    00b0 - 7b 2b f4 7c c5 63 60 eb-3c b4 e7 1e 42 73 a5 39   {+.|.c`.<...Bs.9
    00c0 - a6 20 54 5d d2 0b 18 14-7b 83 54 52 9f ee b1 ea   . T]....{.TR....
    00d0 - fb eb 2a a2 85 1f de 96-05 6a 3e d9 e2 53 06 03   ..*......j>..S..
    00e0 - ea a9 16 3b 09 50 88 3e-82 a8 0c 7d 31 c9 e4 a9   ...;.P.>...}1...
    00f0 - f1 07 15 64 70 61 9c f4-18 2c 45 27 ac 72 82 79   ...dpa...,E'.r.y

    Start Time: 1669126429
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: A3BAD4931BFA978128D3894BE7065840F660C28A8D56D0FD51C76218ABE56D12
    Session-ID-ctx:
    Resumption PSK: 753C6AC6565AB6DECFBB3968085230011DC738FF77CBBEA0330CF971F299C779FB384F65B4217AB1BE285803ED2D1DF2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c0 34 7f 47 4f 18 35 26-fc 73 55 56 29 f3 a8 4b   .4.GO.5&.sUV)..K
    0010 - 9a 6a 64 8d a3 fc d8 ae-e1 20 1a d6 60 5a 8d d2   .jd...... ..`Z..
    0020 - 4c b9 2e 82 ba 6d fc f5-37 2c c2 62 ad 7c 19 40   L....m..7,.b.|.@
    0030 - 26 f8 44 ae d8 48 bd 29-26 6b ce f4 cd 96 e9 a5   &.D..H.)&k......
    0040 - 74 ae 4c 5a 90 49 bf 06-88 49 3e 14 03 84 47 cb   t.LZ.I...I>...G.
    0050 - aa 2b 46 4c 4f c2 f7 dd-b9 f0 4f 3a d5 98 12 fc   .+FLO.....O:....
    0060 - 9f 43 de 8f 80 c0 8b db-02 57 bc e6 f7 2a 19 23   .C.......W...*.#
    0070 - c8 45 f7 c7 30 a1 e7 93-ea 09 65 4f 48 b5 1a c4   .E..0.....eOH...
    0080 - 8e d1 03 b2 2f 29 d0 c2-1a 00 c8 f7 2d 68 51 24   ..../)......-hQ$
    0090 - cc a6 3e 24 72 ca e9 76-f8 24 71 f1 4b 99 61 14   ..>$r..v.$q.K.a.
    00a0 - 85 7b 83 f9 68 7e 01 2d-2e 48 40 27 12 40 79 df   .{..h~.-.H@'.@y.
    00b0 - 10 9d 21 66 4d 0f f7 af-3c 5e a3 89 ff 57 38 77   ..!fM...<^...W8w
    00c0 - 3f e3 70 45 1f f4 9a 25-45 9a 43 ba ad 5a 9d d4   ?.pE...%E.C..Z..
    00d0 - 3b 83 66 19 63 1a 68 e6-94 dc 12 88 22 43 eb 7f   ;.f.c.h....."C..
    00e0 - 33 a2 4d 81 2a 62 2f e8-1d 2f 88 38 69 7a 3e e3   3.M.*b/../.8iz>.
    00f0 - 67 6a 32 50 30 6e cb e6-77 cd b6 c3 3d 4c f8 4a   gj2P0n..w...=L.J

    Start Time: 1669126429
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
ok
HTTP/1.1 400 Bad Request
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 22 Nov 2022 14:13:50 GMT
Content-Type: text/html
Content-Length: 166
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
403759F2227F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:

system version:

root@balena-etcher-source:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04 LTS
Release:        22.04
Codename:       jammy

nginx version:

root@balena-etcher-source:~# nginx -v
nginx version: nginx/1.18.0 (Ubuntu)
1 Like

The latest deployed version after the posting EtcherPro progress updates - #81 by konmouz this issue is not anymore.