Can't get SSL to work: http: TLS handshake error from 127.0.0.1:4001: EOF

[agd-media]

Trying for a week or so...

2018/11/26 12:49:12 http: TLS handshake error from 127.0.0.1:4001: EOF
2018/11/26 12:49:12 http: TLS handshake error from [::1]:4001: EOF

I tried everything I found (incl. docs and the topic #829
As soon as the server starts, above message shows up. Tried with Ubuntu and Debian.

[agd-media]

Forgot to mention, that I can login, when I disable SSL in both, server and client.
iptables has port 4002 open and I have tried all available versions of how to create the SSL keys etc.

[placer14]

@agd-media Thanks for the report. We'll get to this as soon as we can. Please let us know if you discover a fix.

[allen-munsch]

@agd-media apologies for the delayed response. Can I get a bit more information about the environment that you are trying to run in?

lsb_release -a
dpkg -s openssl python golang docker | grep 'Version\|Package'

Also what do your configuration files look like?

From what I understand, port 4001 is being used as the port for the ipfs swarm, don't quote me on that, this is just based on a quick look at the source.

If possible I'd like to assist in tracking down why it's throwing the ssl error, and see if it can be put under test #1241

[agd-media]

@agd-media apologies for the delayed response. Can I get a bit more information about the environment that you are trying to run in?

lsb_release -a
dpkg -s openssl python golang docker | grep 'Version\|Package'

Also what do your configuration files look like?

Package: openssl
Version: 1.1.0f-3+deb9u2

The VPS is running Debian 9. On my last try I used the pre compiled binaries, but before that, I had installed go from source, which brought me to the same error in the end.
Edit: The same happened on Ubuntu

Everything I changed in congfig was the following:

"Gateway": "/ip4/0.0.0.0/tcp/4002", (I have tried the server ip before, but the error persisted)
....

"JSON-API": {
"AllowedIPs": [], (also tried 0.0.0.0 or the client ip - no success)
"Authenticated": true,
"CORS": null,
"Enabled": true,
"HTTPHeaders": null,
"Password": "HashedPassword generated by setapicreds"
"SSL": true,
"SSLCert": "/home/openbazaar/.openbazaar2.0/server.crt",
"SSLKey": "/home/openbazaar/.openbazaar2.0/server.key",
"Username": "XXXXXX"

[allen-munsch]

@agd-media i'll try to reproduce this in a virtualbox setup. i'll get back to you on what I find out.

[agd-media]

@agd-media i'll try to reproduce this in a virtualbox setup. i'll get back to you on what I find out.

Thanks alot! Btw, the error shows shortly after starting the server. It takes a few seconds or sometimes even longer. I don't need to try to connect with a client, which doesn't work anyway (only works when SSL is disabled)

[allen-munsch]

@agd-media do you see something similar to this in your ~/.openbazaar2.0/logs/ipfs.log ?

I wonder if this might be related? I also saw http: TLS handshake error from 127.0.0.1:4001: EOF in the server output, I'm wondering if this is expected behaviour, as there are plenty of other connections on 4001, that appear to work.

using debian stretch.

ipfs.log:

{"id":11801,"level":4,"message":"got error on dial to /ip4/169.254.27.234/tcp/4001: \u003cpeer.ID NzhiRV\u003e --\u003e \u003cpeer.ID fSqQvA\u003e dial attempt failed: dial tcp4 0.0.0.0:0-\u003e169.254.27.234:4001: connect: no route to host","module":"swarm2","time":"2018-12-02T19:46:54.861332682Z"}

[agd-media]

@allen-munsch
Yes. I find similar entries ipfs.log (dial attempt failed: dial tcp4), but not the TLS handshake errors.
If this is expected behaviour, I can probably ignore it, but still the client won't connect with SSL. If I disable SSL only in the client, an expected error message shows up at the server (blahblah this doesn't look like SSL)
Probably the error message and the problem to connect with a client (Win10) are not related. I will try a Linux client to see if it connects with SSL at least. Then I could simply ignore that message. (Silly that I didn't try it already)

[puxos]

@agd-media Hi, this may be a bit late but it should be a solution for you.

• Assume that you are going to connect to localhost (127.0.0.1) for development or testing.
• SSL for localhost is a bit tricky when compare to the regular one, 127.0.0.1 is not recommended, with hostname 'localhost' is much better.

Please refer to the following procedures to setup SSL for localhost server/client connection.

1. Create self-signed certificate by following one-line command

openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

two files will be generated, localhost.crt and localhost.key

2. Edit the openbazaar-go server config file

"JSON-API": {
  ......
  ...... 
  "SSL": true,
  "SSLCert": "/absolute/path/to/localhost.crt",
  "SSLKey": "/absolute/path/to/localhost.key",
}

3. Import localhost.crt cert to your computer, and set to always trust
4. Start your server and then start your client.
5. Create a server connection in the client's config, and use localhost in the IP field rather than 127.0.0.1

Enjoy~

[placer14]

Thank you for following up on this, @puxos. You might noticed that the openbazaar-go daemon has a gencerts command which produces cert.pem and key.pem which are X509 keypairs. Would you mind checking if these artifacts would also work with your provided instructions and perhaps submit a pull request updating the docs/ssl.md document with your findings if necessary?