Hey folks, I spun up a drone server on Kubernetes using both Helm and some custom created manifests. I discovered rather quickly that in either scenario SSL/TLS based outbound calls are failing. This was especially evident when I was trying to get OAuth setup between Gitea and Drone.
Upon further inspection, I obtained a shell to the container, installed curl and wget and was unable to make calls to Gitea:
/ # curl https://git.domain.io -v
* Trying <ip address>:443...
* TCP_NODELAY set
* Connected to git.domain.io (<ip address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to git.domain.io:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to git.domain.io:443
Drone consistently reports “connection reset by peer” and I think this may be the source.
/ # openssl s_client -connect git.domain.io:443 -servername git.domain.io
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 320 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
To me, it looks like everything is fine with my certificate. I am using LetsEncrypt for this domain, and that’s managed by cert-manager.