Drone Server docker image cannot make SSL requests

Hey folks, I spun up a drone server on Kubernetes using both Helm and some custom created manifests. I discovered rather quickly that in either scenario SSL/TLS based outbound calls are failing. This was especially evident when I was trying to get OAuth setup between Gitea and Drone.

Upon further inspection, I obtained a shell to the container, installed curl and wget and was unable to make calls to Gitea:

/ # curl https://git.domain.io -v
*   Trying <ip address>:443...
* Connected to git.domain.io (<ip address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to git.domain.io:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to git.domain.io:443 

Drone consistently reports “connection reset by peer” and I think this may be the source.

Gitea Version: 1.11.5
Drone Version: 1.8.1

@bradrydzewski can we move this back to bug? I’ve at least proved that something is wrong with the docker image.

Hi @mattouille can you please provide more information? We run the Drone server image at cloud.drone.io and we do not have any issues with SSL.

@bradrydzewski I’m honestly a bit stuck in what to troubleshoot next.

For instance:

/ # openssl s_client -connect git.domain.io:443  -servername git.domain.io
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 320 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok) 

To me, it looks like everything is fine with my certificate. I am using LetsEncrypt for this domain, and that’s managed by cert-manager.

It looks like openssl may not be detecting my certificate, but outside services do. I’m going to keep my troubleshooting scoped to the container, as that seems to be the problem.

I’m happy to pay for support if it’ll get me some help in troubleshooting this. None of the other applications on my cluster suffer from this, including applications I’ve written myself.