https://rancher.com/ logo
Title
q

quiet-fountain-61995

11/09/2022, 10:03 PM
bash-5.1# openssl s_client -showcerts -connect <http://accounts.google.com:443|accounts.google.com:443>
CONNECTED(00000003)
139739654130504:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 321 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
l

limited-pizza-33551

11/11/2022, 1:33 AM
Hey @quiet-fountain-61995, does your installation use custom certs by any chance? Or is it using the default certs?
q

quiet-fountain-61995

11/15/2022, 2:51 PM
Hey @limited-pizza-33551 its the default certs. i figured out what the issue was after two weeks. of pain staking debugging. it was one of the entries in our search domain filed of the
/etc/resolv.conf
file. The file liked like the below file :
nameserver 10.0.0.0
search production.svc.cluster.local svc.cluster.local cluster.local <http://dc.mydomain.com|dc.mydomain.com>
the issue was that for the last entry
<http://dc.mydomain.com|dc.mydomain.com>
when coredns tried to resolve
<https://google.com>
with it it was returning a
NOERROR
instead of a
NXDOMAIN.
and so the search loop was closed and it resulted in a
tls error
because there was no active DNS resolver at the
<http://dc.mydomain.com|dc.mydomain.com>
search entry. the fix was to either remove the search entry form the servers network manager or setup a dns resolver at the endpoint which is how we wanted it to work. and now our dns tls queries are resolved. So looks like its more of a coredns issue than rancher.