Fromm time-to-time I get an unusual ssl error when using curl to check one of my web sites. This post documents the error and how I recovered from it.
I was bringing up a new web site on the F5 BigIP loadbalancer. It was a secure site. I typically use the F5 as an ssl acclerator so it terminates the ssl connection and makes an http connection back to the origin server.
So I tested my new site with curl:
$ curl -i -k https://secure.drj.com/
curl: (52) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
Weird, I thought. I had taken the certificate from an older F5 unit and maybe I had installed it or its private key wrong?
I tested with openssl:
$ openssl s_client -showcerts -connect secure.drj.com:443
... SSL handshake has read 2831 bytes and written 453 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: E95AB5EA2D896D5B3A8BC82F1962FA4A68669EBEF1699DF375EEE95410EF5A0C Session-ID-ctx: Master-Key: EC5CA816BBE0955C4BC24EE198FE209BB0702FDAB4308A9DD99C1AF399A69AA19455838B02E78500040FE62A7FC417CD Key-Arg : None Start Time: 1374679965 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
This all looks pretty normal – the same as what you get from a healthy working site. So the SSL, contrary to what I was seeing from curl, seemed to be working OK.
OK, so, SSL is handled by the F5 itself we were saying. That leaves the origin server. Bingo!
In F5 you have virtual servers and pools. You configure the SSL CERTs and the public-facing IP and the pool on the virtual server. The pool is where you configure your origin server(s).
I had forgotten to associate a default pool with my virtual server! So the F5 had nowhere to go really with the request after handling the initial SSL dialog.
I don’t think the available help for this error is very good so I wanted to offer this specific example.
So I associated a pool with my virtual server and immediately the problem went away.
We solved a very specific case this week and hopefully provided some guidance to others who might be seeing this issue.
My favorite openssl commands