-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: handshake failure #1
Comments
I've seen this error myself recently. The issue was that when LE's authenticator connected to the ASA to validate the challenge certificate, it wasn't able to establish a TLS session with the ASA. I didn't figure out what was wrong, but suspect it's an SSL cipher support issue on the ASA. At the time I had the problem, the same LE authenticator (same IP address, anyway) was able to talk fine with one of my ASAs, but not with the other. There was no time to debug the problem at that time, so I didn't pursue it further. What version of software is running on the ASA? I'll see if I can replicate the problem. |
Hi Chris,
I am running the last available ASA-OS - 9.8(1) ( I need at least 9.7.1 as there is VTI interface configured)
I am quite skilled in ASA so I can try to debug SSL connection on the ASA side – that does not apply for my skills in linux :-o
Regards
Pavel
From: Chris Marget [mailto:notifications@github.com]
Sent: Friday, June 30, 2017 5:14 PM
To: chrismarget/certbot-asa <certbot-asa@noreply.github.com>
Cc: Navrátil Pavel <navratil@networksys.cz>; Author <author@noreply.github.com>
Subject: Re: [chrismarget/certbot-asa] tls: handshake failure (#1)
I've seen this error myself recently.
The issue was that when LE's authenticator connected to the ASA to validate the challenge certificate, it wasn't able to establish a TLS session with the ASA.
I didn't figure out what was wrong, but suspect it's an SSL cipher support issue on the ASA. At the time I had the problem, the same LE authenticator (same IP address, anyway) was able to talk fine with one of my ASAs, but not with the other.
There was no time to debug the problem at that time, so I didn't pursue it further.
What version of software is running on the ASA? I'll see if I can replicate the problem.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AcauW_okzholqS3NVL5wINDH3DQd5BxMks5sJRDEgaJpZM4OKqpe>.
|
So, if the failure is happening where I think it's happening... If you run 'show run | inc trustpoint|trust-point' repeatedly on the ASA while the plugin is operating, you should see a temporary trustpoint and SNI configuration appear briefly. Once those are installed, we're just waiting for the LE authenticator to come look at them. At this point, you should be able to see the TLS failure if you're watching packets (fairly easy to spot), or with the right debug incantation on the ASA (I'm not sure what that might be). I'll fire up an ASA in the lab. |
Hi,
you are right – I can see the temporary acme challenge trustpoint for a while.
---
fw# sh runn | in acme
crypto ca trustpoint acme_challenge_0ce0e19e6b60fd64350fbc9277aad043
keypair acme_challenge_0ce0e19e6b60fd64350fbc9277aad043
crypto ca certificate chain acme_challenge_0ce0e19e6b60fd64350fbc9277aad043
ssl trust-point acme_challenge_0ce0e19e6b60fd64350fbc9277aad043 domain 85bd3442b8ece3d01183ae375610bea5.6b7ac57b435eac0a38c306f42d8b61bd.acme.invalid
----
I tried to set ssl debug – I can see error
---
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher@s3_srvr.c:2053
---
in time the server should check the certificate
I hope this can help
Regards
Pavel
From: Chris Marget [mailto:notifications@github.com]
Sent: Friday, June 30, 2017 5:54 PM
To: chrismarget/certbot-asa <certbot-asa@noreply.github.com>
Cc: Navrátil Pavel <navratil@networksys.cz>; Author <author@noreply.github.com>
Subject: Re: [chrismarget/certbot-asa] tls: handshake failure (#1)
So, if the failure is happening where I think it's happening...
If you run 'show run | inc trustpoint|trust-point' repeatedly on the ASA while the plugin is operating, you should see a temporary trustpoint and SNI configuration appear briefly.
Once those are installed, we're just waiting for the LE authenticator to come look at them.
At this point, you should be able to see the TLS failure if you're watching packets (fairly easy to spot), or with the right debug incantation on the ASA (I'm not sure what that might be).
I'll fire up an ASA in the lab.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AcauW7BRLKGi7dShxWedc9-KN_0JzoDfks5sJRorgaJpZM4OKqpe>.
|
Hi,
I found it will probably be problem in cypher set - the error message "no shared cipher" should mean there is no supported encryption cipher on ASA - I tried to allow all kinds of cypher on ASA but it ends with the same error.
Regards
Pavel
From: Navrátil Pavel
Sent: Friday, June 30, 2017 7:21 PM
To: 'chrismarget/certbot-asa' <reply@reply.github.com>; chrismarget/certbot-asa <certbot-asa@noreply.github.com>
Cc: Author <author@noreply.github.com>
Subject: RE: [chrismarget/certbot-asa] tls: handshake failure (#1)
Hi,
you are right – I can see the temporary acme challenge trustpoint for a while.
---
fw# sh runn | in acme
crypto ca trustpoint acme_challenge_0ce0e19e6b60fd64350fbc9277aad043
keypair acme_challenge_0ce0e19e6b60fd64350fbc9277aad043
crypto ca certificate chain acme_challenge_0ce0e19e6b60fd64350fbc9277aad043
ssl trust-point acme_challenge_0ce0e19e6b60fd64350fbc9277aad043 domain 85bd3442b8ece3d01183ae375610bea5.6b7ac57b435eac0a38c306f42d8b61bd.acme.invalid
----
I tried to set ssl debug – I can see error
---
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher@s3_srvr.c:2053<mailto:cipher@s3_srvr.c:2053>
---
in time the server should check the certificate
I hope this can help
Regards
Pavel
From: Chris Marget [mailto:notifications@github.com]
Sent: Friday, June 30, 2017 5:54 PM
To: chrismarget/certbot-asa <certbot-asa@noreply.github.com<mailto:certbot-asa@noreply.github.com>>
Cc: Navrátil Pavel <navratil@networksys.cz<mailto:navratil@networksys.cz>>; Author <author@noreply.github.com<mailto:author@noreply.github.com>>
Subject: Re: [chrismarget/certbot-asa] tls: handshake failure (#1)
So, if the failure is happening where I think it's happening...
If you run 'show run | inc trustpoint|trust-point' repeatedly on the ASA while the plugin is operating, you should see a temporary trustpoint and SNI configuration appear briefly.
Once those are installed, we're just waiting for the LE authenticator to come look at them.
At this point, you should be able to see the TLS failure if you're watching packets (fairly easy to spot), or with the right debug incantation on the ASA (I'm not sure what that might be).
I'll fire up an ASA in the lab.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AcauW7BRLKGi7dShxWedc9-KN_0JzoDfks5sJRorgaJpZM4OKqpe>.
|
And one more probably useful info - these are the set supported by default on ASA:
---
fw# sh ssl ciphers
Current cipher configuration:
default (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
dtlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
---
Regards
Pavel
From: Navrátil Pavel
Sent: Friday, June 30, 2017 7:36 PM
To: 'chrismarget/certbot-asa' <reply@reply.github.com>; 'chrismarget/certbot-asa' <certbot-asa@noreply.github.com>
Cc: 'Author' <author@noreply.github.com>
Subject: RE: [chrismarget/certbot-asa] tls: handshake failure (#1)
Hi,
I found it will probably be problem in cypher set - the error message "no shared cipher" should mean there is no supported encryption cipher on ASA - I tried to allow all kinds of cypher on ASA but it ends with the same error.
Regards
Pavel
From: Navrátil Pavel
Sent: Friday, June 30, 2017 7:21 PM
To: 'chrismarget/certbot-asa' <reply@reply.github.com>; chrismarget/certbot-asa <certbot-asa@noreply.github.com<mailto:certbot-asa@noreply.github.com>>
Cc: Author <author@noreply.github.com<mailto:author@noreply.github.com>>
Subject: RE: [chrismarget/certbot-asa] tls: handshake failure (#1)
Hi,
you are right – I can see the temporary acme challenge trustpoint for a while.
---
fw# sh runn | in acme
crypto ca trustpoint acme_challenge_0ce0e19e6b60fd64350fbc9277aad043
keypair acme_challenge_0ce0e19e6b60fd64350fbc9277aad043
crypto ca certificate chain acme_challenge_0ce0e19e6b60fd64350fbc9277aad043
ssl trust-point acme_challenge_0ce0e19e6b60fd64350fbc9277aad043 domain 85bd3442b8ece3d01183ae375610bea5.6b7ac57b435eac0a38c306f42d8b61bd.acme.invalid
----
I tried to set ssl debug – I can see error
---
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher@s3_srvr.c:2053<mailto:cipher@s3_srvr.c:2053>
---
in time the server should check the certificate
I hope this can help
Regards
Pavel
From: Chris Marget [mailto:notifications@github.com]
Sent: Friday, June 30, 2017 5:54 PM
To: chrismarget/certbot-asa <certbot-asa@noreply.github.com<mailto:certbot-asa@noreply.github.com>>
Cc: Navrátil Pavel <navratil@networksys.cz<mailto:navratil@networksys.cz>>; Author <author@noreply.github.com<mailto:author@noreply.github.com>>
Subject: Re: [chrismarget/certbot-asa] tls: handshake failure (#1)
So, if the failure is happening where I think it's happening...
If you run 'show run | inc trustpoint|trust-point' repeatedly on the ASA while the plugin is operating, you should see a temporary trustpoint and SNI configuration appear briefly.
Once those are installed, we're just waiting for the LE authenticator to come look at them.
At this point, you should be able to see the TLS failure if you're watching packets (fairly easy to spot), or with the right debug incantation on the ASA (I'm not sure what that might be).
I'll fire up an ASA in the lab.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AcauW7BRLKGi7dShxWedc9-KN_0JzoDfks5sJRorgaJpZM4OKqpe>.
|
Yup, this is where I wound up last time it happened. It's not really an issue with the plugin, but the TLS service on the ASA rejecting LE's TLS client. I couldn't figure it out last time, but I intend to take another crack at it. |
Pavel, can you test something for me? You'll have to be quick: During the interval when the ASA is configured to serve up the challenge certificate, but before LE gets around to checking... Please try to delete the My hope is that the error will change from something about TLS handshaking to a challenge validation failure (indicating that TLS succeeded). I'm finding that with that directive in place I have trouble with the TLS handshake on my test box. |
I think we're running into this Cisco bug. An ASA upgrade is going to be required. |
Hi Chris,
I just post a request for help on Cisco Support Forum - will see if somebody answer to it.
https://supportforums.cisco.com/discussion/13325616/ssl-handshake-failure
I sniffed the SSL communication - enclosing the file with it - you can check it weather you will be able to get some useful info from it.
Regards
Pavel
From: Chris Marget [mailto:notifications@github.com]
Sent: Saturday, July 1, 2017 12:57 PM
To: chrismarget/certbot-asa <certbot-asa@noreply.github.com>
Cc: Navrátil Pavel <navratil@networksys.cz>; Author <author@noreply.github.com>
Subject: Re: [chrismarget/certbot-asa] tls: handshake failure (#1)
I think we're running into this<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve20346> Cisco bug. An ASA upgrade is going to be required.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AcauW6uOFzLAM4Pe-b-SvIY7gxjPX28oks5sJiX3gaJpZM4OKqpe>.
|
I'm confident that the bug I mentioned is your problem. There's a couple of options for verifying that:
The Remove the It seems that any TLS connection which matches the SNI filter specified by the |
Hi,
I am trying to make work enrolment lets encrypt certificate for our ASA firewall / VPN gateway.
I am able to communicate with ASA REST API, I installed I hope all required software on internal linux server (Debian),but when I run the command for enrolment I obtain error:
The following errors were reported by the server:
Domain: fw.networksys.cz
Type: tls
Detail: remote error: tls: handshake failure
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
you have an up-to-date TLS configuration that allows the server to
communicate with the Certbot client.
it seems to me the certificate is not published on ASA but I do not know how to debug it - I enclose the whole CLI output for details
certbot-asa-log.txt
.
On the ASA there is already certificate from our internal (private) CA - I do not know how the certificate from certbot-asa script is setup on the ASA, as there is no attribute for the name of output interface.
Thank you for any help.
The text was updated successfully, but these errors were encountered: