TLS handshake error

Алексей

unread,

Jul 4, 2019, 8:17:47 PM7/4/19

to Tinode General

I did not change any settings in tinode. The chat stopped working. Here is the log:

[root@rt-chat remtehchat.ru]# ./tinode &
[1] 3510
[root@rt-chat remtehchat.ru]# 2019/07/05 05:07:19 Server v0.15:/var/www/remtehchat.ru/data/www/remtehchat.ru/tinode:v0.15.15-rc1; db: 'mysql'; pid 3510; 1 process(es)
2019/07/05 05:07:19 Using config from '/var/www/remtehchat.ru/data/www/remtehchat.ru/tinode.conf'
2019/07/05 05:07:19 Running as a standalone server.
2019/07/05 05:07:19 Restricted tags: ['tel' 'email']
2019/07/05 05:07:19 plugins: no active plugins found
2019/07/05 05:07:19 gRPC/1.20.0-dev secure server is registered at [:6061]
2019/07/05 05:07:19 Serving static content from '/var/www/remtehchat.ru/data/www/remtehchat.ru/static' at '/'
2019/07/05 05:07:19 Large media handling enabled fs
2019/07/05 05:07:19 stats: variables exposed at '/debug/vars'
2019/07/05 05:07:19 Redirecting connections from HTTP at [:80] to HTTPS at [:6060]
2019/07/05 05:07:19 Listening for client HTTPS connections on [:6060]
2019/07/05 05:07:56 http: TLS handshake error from 130.255.143.65:9067: EOF
2019/07/05 05:08:35 http: TLS handshake error from 130.255.143.65:9096: EOF
2019/07/05 05:10:22 http: TLS handshake error from 130.255.143.65:9115: EOF
2019/07/05 05:12:45 http: TLS handshake error from 130.255.143.65:9066: 429 urn:acme:error:rateLimited: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
2019/07/05 05:12:45 http: TLS handshake error from 130.255.143.65:9123: acme/autocert: missing certificate

ge...@letsopen.co

unread,

Jul 6, 2019, 1:36:59 AM7/6/19

to Tinode General

Maybe your certificate has expired? You really should hire a competent sysadmin.

Nothing runs at https://remtehchat.ru:6060 so I can't check anything:

$ curl -I remtehchat.ru:6060
curl: (7) Failed to connect to remtehchat.ru port 6060: Connection refused

Is there a particular reason why you run the server at :6060 instead of the common :443?

Алексей

unread,

Jul 6, 2019, 12:10:43 PM7/6/19

to Tinode General

1. Certificate is validated https://www.sslshopper.com/ssl-checker.html#hostname=remtehchat.ru

2. In the tinode file.conf settings

...
"tls": {
		// Enable TLS.
		"enabled": true,
...
// Location of certificates.
"cache": "/var/www/httpd-cert/remtehchat.ru",
...
// these locations. Ignored if "autocert" is defined.
		"cert_file": "/var/www/httpd-cert/remtehchat.ru/remtehchat.ru.crt",
		"key_file": "/var/www/httpd-cert/remtehchat.ru/remtehchat.ru.key"
	},

What else is required for the chat to work over https?

Gene S

unread,

Jul 6, 2019, 12:26:49 PM7/6/19

to tinode

No it is not:

https://www.sslshopper.com/ssl-checker.html#hostname=remtehchat.ru:6060

You are running your server at :6060.

Please hire a competent sysadmin. Please hire a competent sysadmin. Please hire a competent sysadmin.

--
You received this message because you are subscribed to the Google Groups "Tinode General" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tinode+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tinode/ef726736-f635-4e6b-af37-3b6fb5e4072f%40googlegroups.com.

Алексей

unread,

Jul 8, 2019, 11:00:10 AM7/8/19

to Tinode General

What to change in tinode.conf so that the chat opens at https://remtehchat.ru? Without port :6060

Gene

unread,

Jul 8, 2019, 11:35:11 AM7/8/19

to Tinode General

https://github.com/tinode/chat/blob/master/server/tinode.conf#L8

Алексей

unread,

Jul 8, 2019, 3:48:08 PM7/8/19

to Tinode General

If I leave this field empty or write ":443", the server does not start. What should be written there?

[root@rt-chat remtehchat.ru]# ./tinode &

[1] 24055
[root@rt-chat remtehchat.ru]# 2019/07/09 00:44:19 Server v0.15:/var/www/remtehchat.ru/data/www/remtehchat.ru/tinode:v0.15.15-rc1; db: 'mysql'; pid 24055; 1 process(es)
2019/07/09 00:44:19 Using config from '/var/www/remtehchat.ru/data/www/remtehchat.ru/tinode.conf'
2019/07/09 00:44:19 Running as a standalone server.
2019/07/09 00:44:19 Restricted tags: ['email' 'tel']
2019/07/09 00:44:19 plugins: no active plugins found
2019/07/09 00:44:19 gRPC/1.20.0-dev secure server is registered at [:6061]
2019/07/09 00:44:19 Serving static content from '/var/www/remtehchat.ru/data/www/remtehchat.ru/static' at '/'
2019/07/09 00:44:19 Large media handling enabled fs
2019/07/09 00:44:19 stats: variables exposed at '/debug/vars'
2019/07/09 00:44:19 Listening for client HTTPS connections on [:https]
2019/07/09 00:44:19 HTTP server: failed listen tcp :443: bind: address already in use
2019/07/09 00:44:19 Stopped push notifications
2019/07/09 00:44:19 Stopped files garbage collector
2019/07/09 00:44:19 Closed database connection(s)
2019/07/09 00:44:19 All done, good bye

Gene S

unread,

Jul 9, 2019, 1:27:27 AM7/9/19

to tinode

Something else is already running at Port 443.

Hire a sysadmin.

--
You received this message because you are subscribed to the Google Groups "Tinode General" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tinode+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/tinode/49519676-b920-4460-8d1d-7426db3a1a4a%40googlegroups.com.

Алексей

unread,

Jul 9, 2019, 6:35:37 AM7/9/19

to Tinode General

Wanted to give up port 6060 to chat has opened at https://remtehchat.ru. But the nginx listens to port 443. On the server a lot of sites. I'm afraid that changing the nginx port will lead to errors on the sites.

The certificate is connected to the domain and does not give errors. Certificate errors exist only for domain + port.

In tinode.conf has prescribed paths to certificates. What else is required to pass certificate verification at https://remtehchat.ru:6060 ?

// TLS (httpS) configuration. Applies to both web and gRPC interfaces.

	"tls": {
		// Enable TLS.
		"enabled": true,

		// Listen for connections on this port and redirect them to HTTPS port.
		"http_redirect": ":6060",

		// Add Strict-Transport-Security to headers, the value signifies age.
		// Zero or negative value turns it off.
		"strict_max_age": 604800,

		// Letsencrypt configuration
		//"autocert": {
			// Location of certificates.
			//"cache": "/var/www/httpd-cert/remtehchat.ru/",

			// Contact address for this installation. LetsEncrypt will send
			// messages to this address in case of problems. Replace with your
			// own address or remove this line.
			//"email": "ad...@remtehchat.ru",

			// Domains served. Replace with your own domain name.
			//"domains": ["remtehchat.ru"]
		//},

		// If "autocert" config is not defined, read static certificates from

// these locations. Ignored if "autocert" is defined.

		"cert_file": "/var/www/httpd-cert/remtehchat.ru/www.remtehchat.ru.crt",
		"key_file": "/var/www/httpd-cert/remtehchat.ru/www.remtehchat.ru.key"
	},

I understand that you now again will tell that I employed the system administrator :)), but I already addressed the system administrator. He said that the certificate to the domain is connected correctly. And how the chat connects to the certificate, he does not know. Understand me. Chat support says that you need to configure the server, and server support says that you need to configure the chat. What am I to do?

суббота, 6 июля 2019 г., 19:26:49 UTC+3 пользователь Gene написал:

No it is not:

https://www.sslshopper.com/ssl-checker.html#hostname=remtehchat.ru:6060

You are running your server at :6060.

Please hire a competent sysadmin. Please hire a competent sysadmin. Please hire a competent sysadmin.
Please hire a competent sysadmin. Please hire a competent sysadmin. Please hire a competent sysadmin.

On Sat, Jul 6, 2019 at 7:10 PM Алексей <alina...@gmail.com> wrote:

1. Certificate is validated https://www.sslshopper.com/ssl-checker.html#hostname=remtehchat.ru
2. In the tinode file.conf settings
... "tls": { // Enable TLS. "enabled": true, ... // Location of certificates. "cache": "/var/www/httpd-cert/remtehchat.ru", ... // these locations. Ignored if "autocert" is defined. "cert_file": "/var/www/httpd-cert/remtehchat.ru/remtehchat.ru.crt", "key_file": "/var/www/httpd-cert/remtehchat.ru/remtehchat.ru.key" },

What else is required for the chat to work over https?

--
You received this message because you are subscribed to the Google Groups "Tinode General" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tin...@googlegroups.com.

Gene

unread,

Jul 9, 2019, 12:13:04 PM7/9/19

to Tinode General

On Tuesday, July 9, 2019 at 1:35:37 PM UTC+3, Алексей wrote:

Wanted to give up port 6060 to chat has opened at https://remtehchat.ru. But the nginx listens to port 443. On the server a lot of sites. I'm afraid that changing the nginx port will lead to errors on the sites.

Then configure nginx as a proxy. Terminate chat's SSL certificate at nginx, have it proxy the HTTP calls to the chat server at whatever port it runs.

The certificate is connected to the domain and does not give errors. Certificate errors exist only for domain + port.
In tinode.conf has prescribed paths to certificates. What else is required to pass certificate verification at https://remtehchat.ru:6060 ?

When I open https://remtehchat.ru:6060/ it works just fine.

Hire someone competent and who is willing to spend time to learn your setup and solve your problems. You need someone who understands general Linux network administration. Your problems are not specific to Tinode.

Алексей

unread,

Jul 10, 2019, 8:58:02 AM7/10/19

to Tinode General

When I open https://remtehchat.ru:6060/ it works just fine.

Chat works and notifications come. But through the Android app can not connect. Maybe to connect through the Android app I need some more settings?

Алексей

unread,

Jul 10, 2019, 9:13:45 AM7/10/19

to Tinode General

Web chat now works because I disabled everything related to "autocert". Now tinode connects to certificates as follows:

"cert_file": "/var/www/httpd-cert/remtehchat.ru/www.remtehchat.ru.crt",
"key_file": "/var/www/httpd-cert/remtehchat.ru/www.remtehchat.ru.key"

Maybe there is a need for information about the certificate chain or something else? Or the fact that the chat does not work with "autocert" enabled indicates some specific problem on the server?

Gene

unread,

Jul 10, 2019, 9:14:37 AM7/10/19

to Tinode General

Have you switched the address of the server in the app from api.tinode.co to remchat?

If you downloaded the android binary from github, push notifications won't work with your server. You have to recompile using your own google-services.json to enable them.

Soy yo

unread,

Dec 3, 2020, 4:41:48 AM12/3/20

to Tinode General

For those who have handshake errors. I had the same issue.

I was using Certbot certificates but they have some problems with permissions and I was able to start Tinode only with sudo. At the same time I still was getting handshake errors when using GRPC. I purchased a normal certificate, installed it and started Tinode without sudo. But I still was getting handshake errors with GRPC. I tried everything - to restart Tinode, to change permissions of the cert files but it didn't work.

My solution was: I just rebooted the server. After reboot disappeared handshake errors.

Reply all

Reply to author

Forward