TLS handshake failing on Fly.io app?

Hi, I have a Fly.io app hosted at https://registry.brioche.dev. I haven’t done a deployment or otherwise touched the config in months, and the app has been happily humming along… except I just tried to access it and I’m getting weird TLS errors when trying to reach it:

$ curl -v 'https://registry.brioche.dev/v0/healthcheck'
*   Trying 66.241.125.71:443...
* Connected to registry.brioche.dev (66.241.125.71) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to registry.brioche.dev:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to registry.brioche.dev:443

I’m not completely sure it’s relevant but this is the last log line I see when I run fly logs:

error.message="client problem: invalid authority" 2024-09-17T22:03:58Z proxy lhr [error]request.method="GET" request.url="/" request.id="01J810724QH53JNDKRJJ0YEP00-lhr" response.status=400

The app uses the Fly HTTP Proxy machinery, and a Fly.io-managed certificate, so this seems like an issue outside my application. I just checked the status page, and am not seeing anything reported at the time of writing. Oh, and this application is open source, so if there’s anything relevant from my fly.toml that I didn’t mention, anyone is free to see the config here: brioche-registry/fly.toml at 81426fdffc05ef60b4893a53869597c3f77c4819 · brioche-dev/brioche-registry · GitHub

You said months, could it be your certs expiring? Mine expired last week because it didn’t auto renew

Ah, yep, that appeared to be it! (I tried checking certs via the dashboard before posting, but the page timed out… it finally loaded for me this time)

Certificates expired on 2024-09-17, and same thing: they didn’t auto-renew even though my DNS is configured with a CNAME record and the docs say that should be enough for auto-renewal.

Anyway, running fly certs remove <domain> and fly certs add <domain> seemed to kick it into gear

Added certificates

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.