- edited description
HTTP error: Receiving data -- Resource temporarily unavailable for TLS connection
failed protocol test [HTTP] at [myserver.com]:4048/containers/mycontainer/json [TCP/IP TLS] -- HTTP error: Receiving data -- Resource temporarily unavailable
hi, spend couple days trying figuring out this but no luck yet with the above error when connecting to a remote docker engine api. The certificate and connection works with a curl command right from the same machine monit is running but not from monit itself. It works without tls enabled but I def need it to work on tls.
Also, on the host serer get this when it tries to connect http: TLS handshake error from xx.xx.xx.xx:45870: tls: first record does not look like a TLS handshake
here is my rule config look like:
if failed
port 4048
protocol https
request /containers/mycontainer/json
with tls options {
verify: enable
selfsigned: ALLOW
pemfile: /monit/monit-5.25.2/certs/svcnode02/key.pem
clientpemfile: /monit/monit-5.25.2/certs/svcnode02/cert.pem
cacertificatefile: /monit/monit-5.25.2/certs/svcnode02/ca.pem
}
and content = "running"
Comments (11)
-
reporter -
reporter - edited description
-
reporter - edited description
-
repo owner - edited description
-
repo owner Hello, it seems the connection timed out during the TLS handshake.
You're using the client certificate ... does the server support client certificates authentication?
Please can you test the following configuration?:
if failed port 4048 protocol https request /containers/mycontainer/json and content = "running" then alert
-
reporter that'd have failed for sure as it just did whit the following error. yes, I want client auth wiht the certificate and it works when tested with the curl like I said passing those certs and key. without that cert server would reject anyway. There is not a complete example anywhere I could find passing all tls setting with files path in local connection option, this is not in monitrc file btw, it is in one of the custom configuration file..didnt change anything in monitrc file, not sure if I have to?
SSL: write error -- error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure Socket test failed for [xx,xx.xx.xx]:4048 -- HTTP: error sending data -- Success 'contest-mycontainer' failed protocol test [HTTP] at [xx.xx.xx.xx]:4048/containers/mycontainer/json [TCP/IP TLS] -- HTTP: error sending data -- Success Sending Connection failed notification to admin@dittrex.com
-
reporter one other thing i also tried, putting a wrong path to the cert files, it still fails with the same error . it seems to me monit doesn't care about the cert files , i would expect it giving some error like file not found or something . I also tried with verify: disable but no luck
pemfile: /monit/monit-5.25.2/certs/svcnode02/key_wrong.pem clientpemfile: /monit/monit-5.25.2/certs/svcnode02/cert_wrong.pem
-
repo owner Please can you provide a testing/sandbox access and testing client certificate so we can try to reproduce?
-
reporter that'd be security issue .. also I dont have the opportunity to simulate a full sandbox for it ATM. All i need a working example of a monit rule that uses client cert to make connection
-
repo owner I'll try to reproduce the problem, please can you provide more details about the setup so i can get as close to your configuration as possible?:
1.) which webserver it is?
2.) which SSL library it uses?
3.) please provide snip of your webserver configuration for client certificate authentication (you can obfuscate data which you don't want to show)
4.) do you use self-signed certificates? (based on the monit config option you used)
-
reporter its docker engine api. both client and server running on same ubuntu 16.04 ..dont know what ssl lib it uses, because its not failing because of library issue..looks like monit totally ignores all tls related params . I can't share my server url here , its very secure stuff ..thats one of the reason trying to make it tls secure so only client with the right self signed certificate can connect , because like I mentioned earlier monit connects without tls. I think its not also appropriate to share my server url info on public forum like this. All I need a working example of a tls verified monit connection with a certificate not just simple ssl
- Log in to comment