OpenSSL SSL_connect: SSL_ERROR_SYSCALL error

Use a cluster-scoped init script to install necessary SSL certificates to resolve a SSL_ERROR_SYSCALL error.

Written by pavan.kumarchalamcharla

Last published at: February 29th, 2024

Problem

You are trying to install third-party libraries via an init script. The init script attempts to download the libraries using curl or wget, but the download fails with an SSL error message.

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <hostname>:443

Cause

The OpenSSL SSL_connect: SSL_ERROR_SYSCALL error means that your cluster does not have the required SSL certificates to validate the connection to the host.

Solution

You need to install the host's SSL certificate on your cluster.

When the OpenSSL SSL_connect: SSL_ERROR_SYSCALL error occurs you can use curl to debug the issue.

%sh "curl -v <url-that-generates-error>"

This option gives you debug output while connecting to the target server. You can check the handshake failure while connecting as well.

Example result

* Trying REDACTED...
* TCP_NODELAY set
* Connected to hostname (REDACTED) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
 CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1): <---- 1st step in TLS handshake, we do not get to the 2nd
} [512 bytes data]
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in <hostname>:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <hostname>:443

 

Get the certificates used by the target server

You can use Google Chrome to export the SSL certificate of the target website. 

  1. Click the Secure button (a padlock) in an address bar.    
     
     
  2. Click Certificate (Valid).    
     
     
  3. Click Details
     
     
  4. Click Copy to File….
  5. Click Next.
  6. Select Base-64 encoded X.509 (.CER).
     
     
  7. Click Next.
  8. Save the SSL certificate file as local-ca.crt.
  9. Click Next.
  10. Click Finish.

 

Upload certificate files to your workspace

Save the certificates as workspace files. 

Review the Workspace files basic usage (AWS | Azure | GCP) documentation for more information.

 

Create an init script to install the certificates

Create a new file in your workspace called certificates.sh in the /Shared/ folder.

  1. Click Workspace in the left side menu.
  2. Click Workspace.
  3. Right-click Shared.
  4. Click Create.
  5. Click File.
  6. Enter certificates.sh in the text entry field and click Create File.
  7. Copy-and-paste this init script into the file you just created. <path-to-cert-file> should be replaced with the path to where you saved the local-ca.crt file in your workspace.
#!/bin/bash
sudo apt-get install -y ca-certificates
sudo cp <path-to-cert-file>/local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

 

Verify init script permissions

Check the permissions for certificates.sh and make sure all users who are creating clusters have the can_run and can_read permissions. The creator of the file and administrators have all permissions by default.

   
 

Configure a cluster-scoped init script

Follow the Use cluster-scoped init scripts (AWS | Azure | GCP) documentation to configure certificates.sh as a cluster-scoped init script.

Info

The certificates.sh init script should run before the init script that generated the OpenSSL SSL_connect: SSL_ERROR_SYSCALL error message.

 

 

Restart the cluster

Restart the cluster and verify that your init scripts successfully complete.

 

For more information on the certificate store, review the Ubuntu CA trust store documentation.