An SSL error appears when I try to access S3 with proxy

I just set up Cloudflare to host our asset domain, with S3 buckets as the subdomains.
The setup is proxied through Cloudflare (not direct to server).
The SSL certificate is “active”
I’ve tried to disable and enable SSL, but I get the same results.

I managed to get everything working properly when I access via HTTP, but when I try via HTTPS, I get errors.

Any clue what to do to fix this?

When I try to access HTTPS with CURL, I get this:

$ curl -I https://assets.web.dev.tshiftcdn.com/_next/static/runtime/main-3920e1b46f4ff6a6e9dc.js
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

When I access HTTP with CURL, I get a proper response with a cloudflare ray

$ curl -I http://assets.web.dev.tshiftcdn.com/_next/static/runtime/main-3920e1b46f4ff6a6e9dc.js
HTTP/1.1 200 OK
Date: Wed, 11 Dec 2019 22:28:22 GMT
Content-Type: application/javascript
Content-Length: 13355
Connection: keep-alive
Set-Cookie: __cfduid=df6bb8746515c53a1d3089522dbadd93b1576103302; expires=Fri, 10-Jan-20 22:28:22 GMT; path=/; domain=.tshiftcdn.com; HttpOnly
x-amz-id-2: 4c1hqmaQgTK0+76U1LBQWjfq2kUzRBVW/QKLUJ7swEpfJeFd7B+WNyc1knbCEMZ7z6fxfrcOGqQ=
x-amz-request-id: 9CCE87A2EF5F2E37
Cache-Control: public, max-age=31556952
Last-Modified: Wed, 11 Dec 2019 17:42:02 GMT
ETag: "b159e0a5d4e5298f3ee3d51f6ecb461b"
CF-Cache-Status: HIT
Age: 3941
Accept-Ranges: bytes
Alt-Svc: h3-23=":443"; ma=86400
Server: cloudflare
CF-RAY: 543ae4266d24af39-KEF

When I try with OpenSSL, I get this

$ openssl s_client -connect  assets.web.dev.tshiftcdn.com:443
CONNECTED(00000003)
140114022614208:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1535:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 330 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

This is a multi-level SSL issue. The free universal SSL certificate doesn’t include multi-level-deep subdomains. You’ll need to purchase a dedicated SSL certificate if you want to proxy that hostname (or *.web.dev.tshiftcdn.com) with SSL.

Your second CURL command only asked over HTTP, not HTTPS, so your client doesn’t get the SSL error. If you’re fine with it, you can always link using http instead of https at the cost of security.

1 Like

@Judge you are brilliant!!
Thank you, this solved it :slight_smile:

I purchased a dedicated SSL and added *.web.dev.tshiftcdn.com

This topic was automatically closed after 30 days. New replies are no longer allowed.