Hey folks, I spun up a drone server on Kubernetes using both Helm and some custom created manifests. I discovered rather quickly that in either scenario SSL/TLS based outbound calls are failing. This was especially evident when I was trying to get OAuth setup between Gitea and Drone.
Upon further inspection, I obtained a shell to the container, installed curl and wget and was unable to make calls to Gitea:
/ # curl https://git.domain.io -v
* Trying <ip address>:443...
* TCP_NODELAY set
* Connected to git.domain.io (<ip address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to git.domain.io:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to git.domain.io:443
Drone consistently reports “connection reset by peer” and I think this may be the source.
@bradrydzewski I’m honestly a bit stuck in what to troubleshoot next.
For instance:
/ # openssl s_client -connect git.domain.io:443 -servername git.domain.io
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
To me, it looks like everything is fine with my certificate. I am using LetsEncrypt for this domain, and that’s managed by cert-manager.
It looks like openssl may not be detecting my certificate, but outside services do. I’m going to keep my troubleshooting scoped to the container, as that seems to be the problem.
I’m happy to pay for support if it’ll get me some help in troubleshooting this. None of the other applications on my cluster suffer from this, including applications I’ve written myself.