Mmm interesting. We do not use client certificates; I'd be puzzled if that was involved. And this tells me it should theoretically happen all the time if there is a problem in setup. But it only happens after a random extended period of uptime. Also the last times it happened, the choke-up was the other way round with the other backend server.
What we have is a wildcard cert *.cloudapp.net deployed to all our cloud services in Windows Azure (which are named as cloudservicename.cloudapp.net). cloudapp.net itself actually belongs to Microsoft, so we generated that wildcard cert ourselves, signed with our own development CA. The cert is for server identification and https traffic to happen, so client identification is not involved. Everything actually works fine, until the problem occurs after a long while (the stretch this time has been almost a month). Restarting the node.exe process (and all the TCP sockets along with it) will "solve" the problem. But that is of course not a real solution. thanks, Aaron On Fri, Aug 30, 2013 at 6:13 PM, Ben Noordhuis <[email protected]> wrote: > > > I can't tell you what exactly the issue is but maybe I can point you > in the right direction. Apologies if I'm not telling you anything you > didn't already know. > > That 'SSL alert number 48' error message is sent by the upstream > server. It suggests that you are using client SSL certificates for > authorization. The server is rejecting it because it doesn't know the > CA, the certificate authority that signed the client certificate. > > You mention it only happens with one server instance. That suggests > that it has a CA certificate store that is different from the others. > If you are using an in-house CA certificate, it's plausible that you > forgot to add it to that instance's certificate store. > > Try connecting with `openssl s_client -cert <filename> -connect > <host>:<port>` and see what happens. Note that s_client only > supports certificates in DER and PEM format. If your certificate is > in PKCS#12 format, you can either export it with `openssl pkcs12` or > use the MS equivalent of `openssl s_client`. > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
