Duckdns + zrok tls: internal error

I tried setting up zrok with duckdns but I can't get it working. It starts but I get this error when I try to enable my token with: zrok enable <myToken> I did also set my apiEndpoint:

there was a problem enabling your environment!

you are trying to use the zrok service at: https://<myLink>.org

you can change your zrok service endpoint using this command:

$ zrok config set apiEndpoint <newEndpoint>

(where newEndpoint is something like: https://some.zrok.io)

[ERROR]: error creating service client (error getting version from api endpoint 'https://<myLink>.org': Get "https://<myLink>/api/v1/version": remote error: tls: internal error: Get "https://<myLink>api/v1/version": remote error: tls: internal error)

This is my .env file:

ZROK_DNS_ZONE=<myLink>
ZROK_USER_EMAIL=<myEmail>
ZROK_USER_PWD=<myPassword>

ZITI_PWD=<myPassword>
ZROK_ADMIN_TOKEN=<myPassword>
# Caddy TLS option: rename caddy.compose.override.yml to compose.override.yml and set these vars; allow 80,443 in firewall
# plugin name for your DNS provider
CADDY_DNS_PLUGIN=duckdns
# API token from your DNS provider
CADDY_DNS_PLUGIN_TOKEN=<myDuckdnsToken>

# use the staging API until you're sure everything is working to avoid hitting the rate limit
CADDY_ACME_API=https://acme-staging-v02.api.letsencrypt.org/directory

# no TLS option: publish the insecure ports to the internet and allow them in the firewall 
ZROK_INSECURE_INTERFACE=0.0.0.0
ZROK_CTRL_PORT=18080
ZROK_FRONTEND_PORT=8080
ZROK_OAUTH_PORT=8081

# ziti ports must be published to the internet and allowed by firewall
ZITI_CTRL_ADVERTISED_PORT=1280
ZITI_ROUTER_PORT=3022

# zrok version, e.g., 1.0.0
ZROK_CLI_TAG=latest
# ziti version, e.g., 1.0.0
ZITI_CLI_TAG=latest

Hi @Sitolam,

Is the certificate presented verifiable? Meaning the OS trusts the cert? You will need a verifiable certificate at that url and it should have nothing to do with duckdns (I wouldn't think).

Are you able to connect to the url and successfully negotiate TLS without error? It's best (imo) to use openssl to check this with:

openssl s_client -connect $your_fqdn_here:$port

You MUST see: Verify return code: 0 (ok) at the end of that. I'm guessing that's the issue based on the error returned of: remote error: tls: internal error

I'm running this on a orcale vps free tier.
This is the output but it still doesn't work:

Connecting to <ip>
CONNECTED(00000003)
405763636A770000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:907:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 330 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

This is also the error when I try to connect to zrok.<myDomain> from firefox:

Maybe you can send me your actual ip/dns via direct message here on discourse and I will probe it for you. That looks to me like you connected to a non-tls-providing port? See the "no peer certificate available"? That's what I expect when a non-tls endpoint replies.

As an example, try these two:

openssl s_client -connect neverssl.com:80

vs

openssl s_client -connect neverssl.com:443

You'll see the first openssl command returns no certs, the second returns certs.

Are you certain you setup zrok properly and have somethig like nginx in front of the http endpoint?