SSL error on default fly domain for app

We have a fly app that we have been using for a number of months without issue, however yesterday when I tried to make some requests from my local machine I started getting SSL errors.
I am using a Ubuntu 24.04.1 WSL env, so I tried doing the same curl from powershell and that initially worked, but I just tried to reproduce it and now I get an error.

The app is a backend with a corresponding frontend, and when I navigate to the frontend it seems to intermittently fail all calls to the backend, and then occasionally succesfully make the calls.

We have another app which is almost identical (prod vs staging), and I can send requests to that app without errors.
This also seems to only be affecting some of the members in my team, with others having no issue connecting to the apps. This is affecting users on mac and windows/WSL.

Does anyone have any ideas what is causing this? From what I have seen in other threads, this type of error has occurred when people have registered their own certs in order to use a custom domain name, but I haven’t seen anything for people getting this issue with the default fly app.

Here is the output from various commands, let me know if there are any others that would be helpful!

From postman:
Error: Client network socket disconnected before secure TLS connection was established

curl -v https://<app>.fly.dev:

* Host <app>.fly.dev:443 was resolved.
* IPv6: <ipv6>
* IPv4: <ipv4>
*   Trying <ipv4>:443...
* Connected to <app>.fly.dev (<ipv4>) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <app>.fly.dev:443 
* Closing connection
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <app>.fly.dev:443 

openssl s_client -connect <app>:443

CONNECTED(00000003)
40F7FD67897F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:322:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 331 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

could you post your fly.toml?

are there any errors in logs from event.provider:'proxy'?

Hi Lillian,

Thanks for getting back to us so quickly. Here’s our fly.toml

app = '[app-name]'
primary_region = 'lhr'

[build]
  dockerfile = 'Dockerfile'

[http_service]
  internal_port = 50505
  force_https = true
  auto_stop_machines = 'off'
  auto_start_machines = true
  min_machines_running = 0
  processes = ['app']

[[vm]]
  memory = '2gb'
  cpu_kind = 'shared'
  cpus = 2

I’ve searched the logs and we aren’t getting anything for event.provider: ‘proxy’ (or just for ‘proxy’, apart from info logs which say INFO [fly api proxy] listening at /.fly/api)

After contacting support, it turns out that the certificate seemed to be completely missing. We were asked to reassign the IPs, but this didn’t solve it either. In the end the support agent did something on their side which has now fixed the issue.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.