$ openssl s_client -connect download.gluster.org:443 CONNECTED(00000003) 140333208389272:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 307 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1477671433 Timeout : 300 (sec) Verify return code: 0 (ok) --- $ curl -D - -v https://download.gluster.org * Rebuilt URL to: https://download.gluster.org/ * Trying 23.253.208.221... * TCP_NODELAY set * Connected to download.gluster.org (23.253.208.221) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol * Curl_http_done: called premature == 1 * Closing connection 0 curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
I'm not able to reproduce this error. Joe, are you still seeing this?
Kaleb restarted Apache and misc found (and I believe fixed) an Ansible bug that prevented it from restarting Apache.
So the issue was that we did some change on apache (like various refactoring of the configuration file). This got applied in production and this should have resulted into a apache restart. However, due to https://github.com/ansible/ansible-modules-core/pull/4777 and due to use using a specific transport, the playbook were silently failing at the step "restart httpd", who then , for a unknow reason, was in some weird state. Short term solution: Restart apache. Mid term: we have to wait for ansible 2.2, which got released this week, and/or a backport of the bug fix. Both should happen soon (and automatically), so I suspect Long term, we need to : - lack of reporting on ansible side (which is on my todolist) - lack of monitoring (also on todo list) Both would have permitted a faster turn around. Also, managing to not schedule conferences for me while Nigel is out on PTO would be better, but I can't ask to the organiser, nor I can ask to India to change their dates.