Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx alerts "ignoring stale global SSL error (SSL: error:068000DE:asn1 encoding routines::illegal zero content)" #123

Open
DoobleD opened this issue Oct 22, 2024 · 3 comments
Open

Nginx alerts "ignoring stale global SSL error (SSL: error:068000DE:asn1 encoding routines::illegal zero content)" #123

DoobleD opened this issue Oct 22, 2024 · 3 comments

Comments

@DoobleD
Copy link
Contributor

DoobleD commented Oct 22, 2024
edited
Loading

I'm seeing quite a lot of the following alerts in Nginx logs:

[alert] 721#721: *16748745 ignoring stale global SSL error (SSL: error:068000DE:asn1 encoding routines::illegal zero content), context: XXX

Where XXX is either ssl_certificate_by_lua* or ngx.timer, the latter occuring much more often.

I'm not sure how to investigate this further though, in particular because I don't see the domains that generate these errors in the logs. Any ideas what the issue could be?
@DoobleD
Copy link
Contributor Author

DoobleD commented Nov 14, 2024
edited
Loading

Not sure if that helps but the version with ssl_certificate_by_lua*:

ignoring stale global SSL error (SSL: error:068000DE:asn1 encoding routines::illegal zero content), context: ssl_certificate_by_lua*

happens once a day every day at 00:00 UTC. It could be related to some timer or recurring task. I thought perhaps the renew interval, but I'm using the default one which is every 6 hours if I'm not mistaken (based on the docs).

@fffonion
Copy link
Owner

It's caused by an error that are previously thrown not properly cleared. It could be from this library or any other that uses openssl,
as the error stack is shared. While it can be safely ignored as the occurance of the error is always from the past, I'm not sure
where this could come from 🤔

@DoobleD
Copy link
Contributor Author

DoobleD commented Dec 3, 2024

Thank you for your reply @fffonion.

I enabled debug logs to get more info, but it didn't seem very helpful. The only consistent thing is that an HTTP connection to acme-v02.api.letsencrypt.org is logged before the error is:

@40000000674f1d54216abbc5.s-2024-12-03 14:58:54.687030956  2024/12/03 14:58:54 [debug] 3372369#3372369: *80595430 [lua] http_connect.lua:253: connect(): poolname: https:acme-v02.api.letsencrypt.org:443:true:acme-v02.api.letsencrypt.org:true:::
@40000000674f1d54216abbc5.s:2024-12-03 14:58:54.687268030  2024/12/03 14:58:54 [alert] 3372369#3372369: *80595430 ignoring stale global SSL error (SSL: error:068000DE:asn1 encoding routines::illegal zero content), context: ssl_certificate_by_lua*, client: 175.157.40.19, server: 0.0.0.0:443

Not sure this really helps. Also, I was mistaken when I said that the error happens at 00:00 UTC once a day. It actually happens multiple times everyday at random times, and I was just notified of it at 00:00.

If these errors are benign in reality, I'll ignore them for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DoobleD @fffonion