Hi,

We are intermittently getting the following error:
Accept TLS connection: server
OpenSSL error at ../ssl/record/rec_layer_s3.c:1543: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
HTTP connection handler has thrown: Accepting SSL tunnel: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (336151574)
Full error: object.Exception@/home/jg/.dub/packages/vibe-d-0.9.3/vibe-d/tls/vibe/stream/openssl.d(578): Accepting SSL tunnel: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (336151574)

Anyone have any idea what might cause this?

On Wednesday, 18 August 2021 at 19:51:00 UTC, JG wrote:

There might be incompatibilities with how openssl is used and the installed openssl version or config.

If you are getting this from having https enabled on the server, I would recommend instead switching to HTTP-only and using a reverse proxy such as with nginx or caddy to serve it with HTTPS.

On Friday, 20 August 2021 at 10:50:12 UTC, WebFreak001 wrote:

Thank you very much for your reply. Yes, we are getting this with HTTPS enabled. May I ask why you suggest not to use HTTPS?

On Friday, 20 August 2021 at 17:39:29 UTC, JG wrote:

I think you might need to restart the server whenever you update the SSL certificates + in every app you need to pass in your SSL certificate location somehow or hardcode it, which if you make all your apps yourself you can do consistently, but otherwise creates inconsistencies which can be hard to maintain.

On the other hand if you use a single reverse proxy like with nginx or caddy for all the HTTPS services it can reload them all at once and use the same config for everything. Additionally the are better supported by ACME services like LetsEncrypt or ZeroSSL through built-in plugins, etc.

But most importantly: these services have undergone much more testing for security than vibe.d, so you can generally expect it to be less likely to have critical bugs in API usage.