TLS handshake error from IP:PORT remote error: tls: bad certificate

Question

TLS handshake error from IP:PORT remote error: tls: bad certificate

ZelphirKaltstahl opened this issue 4 months ago · comments

Zelphir Kaltstahl commented 4 months ago

I built galene inside a docker container, using the build commands mentioned in same installation guide at https://github.com/jech/galene/blob/master/INSTALL#L5. I am starting the container like this:

docker run --detach --name galene --volume example-groups.json:/opt/galene/groups/test.json --publish 8443:8443 --publish 1194:1194 zelphir/galene:latest

I have an entrypoint looking like this:

#!/bin/bash

set -Eeuxo pipefail

printf "%s\n" "starting galene"
printf "app directory: %s\n" "${APP_DIR}"
ls -al

exec ./galene ${@}

The installation guide at https://github.com/jech/galene/blob/master/INSTALL#L47 says I should be able to connect to galene, but what actually happens is this:

+ printf '%s\n' 'starting galene'
+ printf 'app directory: %s\n' /opt/galene
+ ls -al
starting galene
app directory: /opt/galene
total 9852
drwxr-xr-x 1 root root       50 Jul  3 23:55 .
drwxr-xr-x 1 root root       12 Jul  3 23:26 ..
-rwxrwxr-x 1 root root      486 Jul  3 23:47 entrypoint.sh
-rwxr-xr-x 1 root root 10080408 Jul  3 23:03 galene
drwxr-xr-x 1 root root       18 Jul  3 23:55 groups
+ exec ./galene
2024/07/03 23:55:02 TURN: no public addresses
2024/07/03 23:55:22 Relay test failed: timeout
2024/07/03 23:55:22 Perhaps you didn't configure a TURN server?

The built galene binary is in that directory and galene seems to run, but contrary to simply being able to visit it in the browser at https://localhost:8443. I do see the expected untrusted certificate warning of my browser. However, when I add an exception, I get to a page that says:

Not found

While I see the following in the logs:

2024/07/03 23:59:48 http: TLS handshake error from 172.17.0.1:36444: remote error: tls: bad certificate

On https://galene.org/INSTALL.html it says:

If you don’t have a TLS certificate, Galène will generate a self-signed certificate automatically (and print a warning to the logs). If you have a certificate, install it in the files data/cert.pem and data/key.pem:

But this seems to be wrong. The TLS certificate generated cannot be used, because it is somehow "bad". Or is galene simply refusing to serve, when using a self-signed cert? But then Why generate one at all?

Juliusz Chroboczek · Answer 1 · Thu Jul 04 2024 17:09:36 GMT+0800 (China Standard Time)

Not found

Have you copied the static directory into the container's filesystem?

2024/07/03 23:59:48 http: TLS handshake error from 172.17.0.1:36444: remote error: tls: bad certificate

Please ignore this, it's just a warning that indicates that the browser rejected the certificate. Unfortunately, it cannot be easily suppressed, since it's generated by Go's HTTP code.

Juliusz Chroboczek · Answer 2 · Sat Jul 06 2024 06:25:33 GMT+0800 (China Standard Time)

Closing. Please reopen if including the static directory doesn't fix your issue.

Zelphir Kaltstahl · Answer 3 · Sat Jul 06 2024 06:29:15 GMT+0800 (China Standard Time)

Saw your response. Thanks for your suggestion! Need more time to test things. Will post here, if I figure something out.

Zelphir Kaltstahl · Answer 4 · Wed Jul 10 2024 03:31:11 GMT+0800 (China Standard Time)

The 404 disappears, when I have the static directory. Thanks!