SSL_ERROR_SYSCALL

Questions / Help
,
1

Fly.io team, can you please help me troubleshoot here? I keep having certs issues here, but not exactly sure why, here’s a sequence of what’s happening:

~/IdeaProjects/azezment-feature-branch 19:17 (azezment-feature-branch) % curl “https://azezment.com”
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to azezment.com:443
~/IdeaProjects/azezment-feature-branch 19:18 (azezment-feature-branch) % fly certs check ‘*.azezment.com’

Status                    = Ready
Hostname                  = *.azezment.com
DNS Provider              = enom
Certificate Authority     = Let’s Encrypt
Issued                    = rsa,ecdsa
Added to App              = 22 hours ago
Expires                   = 2 months from now
Source                    = fly

✓ Your certificate has been issued!
Your DNS is correctly configured and this certificate will auto-renew before expiration.
~/IdeaProjects/azezment-feature-branch 19:19 (azezment-feature-branch) % curl “https://azezment.com”
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to azezment.com:443
~/IdeaProjects/azezment-feature-branch 19:19 (azezment-feature-branch) % fly certs delete ‘*.azezment.com’ -a azezment
? Remove certificate *.azezment.com from app azezment? Yes
Certificate .azezment.com deleted from app azezment
~/IdeaProjects/azezment-feature-branch 19:20 (azezment-feature-branch) % fly certs add '.azezment.com’ -a azezment

You are creating a certificate for *.azezment.com
We are using Let’s Encrypt for this certificate.

You can direct traffic to your Fly application by adding records to your DNS provider.

Choose your DNS setup:

A and AAAA records (recommended for direct connections)

A    * → 66.241.125.91
AAAA * → 2a09:8280:1::b7:abf7:0

CNAME record

CNAME * → kn65kld.azezment.fly.dev

Required: DNS Challenge

CNAME _acme-challenge.azezment.com → azezment.com.kn65kld.flydns.net

Additional to one of the DNS setups.
Required for this wildcard certificate.

Once your DNS is configured correctly, we will automatically provision your certificate.
Run fly certs check .azezment.com to check the progress.
~/IdeaProjects/azezment-feature-branch 19:20 (azezment-feature-branch) % curl “https://azezment.com”
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to azezment.com:443
~/IdeaProjects/azezment-feature-branch 19:22 (azezment-feature-branch) % fly certs check '.azezment.com’

Status                    = Ready
Hostname                  = *.azezment.com
DNS Provider              = enom
Certificate Authority     = Let’s Encrypt
Issued                    = rsa,ecdsa
Added to App              = 1 minute ago
Expires                   = 2 months from now
Source                    = fly

✓ Your certificate has been issued!
Your DNS is correctly configured and this certificate will auto-renew before expiration.
~/IdeaProjects/azezment-feature-branch 19:22 (azezment-feature-branch) % curl “https://azezment.com”
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to azezment.com:443
~/IdeaProjects/azezment-feature-branch 19:23 (azezment-feature-branch) % curl “https://azezment.com”
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to azezment.com:443
~/IdeaProjects/azezment-feature-branch 19:25 (azezment-feature-branch) %

I did this exact set of commands 22 hours ago to fix the same certs problem, but it keeps coming back.
after waiting sometime, it now works again..

~/IdeaProjects/azezment-feature-branch 19:53 (azezment-feature-branch) % curl “``https://azezment.com``” -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ``azezment.com:443

Any idea why this is happing with the certs here ? I’ve done other certs in another domain in fly.io, but this one is giving me a hard time :downcast_face_with_sweat: . Any help, much appreciated.
Thanks in advance.

2

Do you happen to also have a cert for azezment.com (without the wildcard) configured? If so, this might be caused by that since both the wildcard and the non-wildcard tries to serve the same domain (if you look at the cert generated for the wildcard domain, it includes a subject alternative name that says azezment.com). Removing the non-wildcard would likely help.

3

Oh, I just realized you also have a cert for *.azezment.com configured for app azezment-www, another app of yours. Unfortunately, that is also not a supported configuration and that is probably also confusing our edge proxy :smiley: We’ll look into ways to prevent this in the future, but if you can remove the domain from there, it should fix your issue at hand.

5

Thanks Pete,

That explains a lot !!
I recently moved from ewr to lad region and simplify the name by dropping the “-www” from the app name. Unfortunately, I missed cleaning up the old certs, so I made a mess by leaving old certs behind and I take resposibility for my sloppiness :face_with_peeking_eye: .
Made the changes, and will monitor closely now. For the record, here’s my before and after state.

BEFORE:
Host Name Added Status
*.azezment.com 4 months ago Awaiting configuration
azezment.com`` 1 month ago Ready
www.azezment.com`` 1 month ago Ready
~ 08:58 % fly certs list -a azezment
Host Name Added Status
*.azezment.com 13 hours ago Ready

AFTER:

~ 09:02 % fly certs list -a azezment-www
Host Name Added Status
~ 09:03 % fly certs list -a azezment
Host Name Added Status
*.azezment.com 13 hours ago Ready
~ 09:03 %

That said, is it possible to build an warning in Fly that could have alerted me of the multiple certs existing for the same domain ?
Thanks again.