Webdav complains remote error: tls: illegal parameter

Hi, I am recently have trouble with the webdav server. I use google cloud platform as a remote webdav server. Everything was fine until 2 weeks ago. When I noticed rclone stopped working, I tried to list the remote webdav but only ended up with this:

root@pve:~ # rclone ls gcp-hk:
2020/08/11 23:24:40 ERROR : : error listing: couldn't list files: Propfind https://dav.example.com/: remote error: tls: illegal parameter
2020/08/11 23:24:40 Failed to ls with 2 errors: last error was: couldn't list files: Propfind https://dav.example.com/: remote error: tls: illegal parameter

I am running the webdav server with this command:

rclone serve webdav gdrive: --addr 127.0.0.1:9090 --user rclone --pass mypassword

I use nginx as a reverse proxy, and I'm sure the certificate is valid because I just force renewed them. Here's my nginx config:

server {
	listen 443 ssl;
	server_name dav.example.com;
	ssl_certificate /root/.acme.sh/dav.example.com/fullchain.cer;
	ssl_trusted_certificate /root/.acme.sh/dav.example.com/ca.cer;
	ssl_certificate_key /root/.acme.sh/dav.example.com/dav.example.com.key;
	ssl_stapling on;
	ssl_stapling_verify on;
	#ssl_protocols        TLSv1.1 TLSv1.2 TLSv1.3;
	client_max_body_size 0;
	ssl_ciphers	EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
	location / {
		proxy_pass http://127.0.0.1:9090;
		proxy_cache off;
		proxy_request_buffering off;
		proxy_cache_bypass 1;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header Host $host;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	}
}

And here's the nginx error log:

2020/08/11 23:17:34 [crit] 1921#0: *9766 SSL_do_handshake() failed (SSL: error:142090BA:SSL routines:tls_early_post_process_client_hello:bad cipher) while SSL handshaking, client: 1.1.1.1, server: 0.0.0.0:443
2020/08/11 23:22:00 [error] 1921#0: *9767 connect() failed (111: Connection refused) while connecting to upstream, client: 1.1.1.1, server: dav.example.com, request: "PROPFIND /home/ HTTP/1.1", upstream: "http://127.0.0.1:9090/home/", host: "dav.example.com"
2020/08/11 23:22:02 [error] 1921#0: *9767 connect() failed (111: Connection refused) while connecting to upstream, client: 1.1.1.1, server: dav.example.com, request: "PROPFIND /home/ HTTP/1.1", upstream: "http://127.0.0.1:9090/home/", host: "dav.example.com"
2020/08/11 23:22:43 [error] 1921#0: *9770 connect() failed (111: Connection refused) while connecting to upstream, client: 1.1.1.1, server: dav.example.com, request: "PROPFIND / HTTP/1.1", upstream: "http://127.0.0.1:9090/", host: "dav.example.com"
2020/08/11 23:22:44 [error] 1921#0: *9770 connect() failed (111: Connection refused) while connecting to upstream, client: 1.1.1.1, server: dav.example.com, request: "PROPFIND / HTTP/1.1", upstream: "http://127.0.0.1:9090/", host: "dav.example.com"
2020/08/11 23:23:16 [crit] 1921#0: *9781 SSL_do_handshake() failed (SSL: error:142090BA:SSL routines:tls_early_post_process_client_hello:bad cipher) while SSL handshaking, client: 1.1.1.1, server: 0.0.0.0:443
2020/08/11 23:24:32 [crit] 1921#0: *9793 SSL_do_handshake() failed (SSL: error:142090BA:SSL routines:tls_early_post_process_client_hello:bad cipher) while SSL handshaking, client: 1.1.1.1, server: 0.0.0.0:443
2020/08/11 23:24:40 [crit] 1921#0: *9794 SSL_do_handshake() failed (SSL: error:142090BA:SSL routines:tls_early_post_process_client_hello:bad cipher) while SSL handshaking, client: 1.1.1.1, server: 0.0.0.0:443

Maybe there's something wrong with my config? But everything was fine when I set them up a few months ago. And when the rclone client is having problems, raidrive is working just fine. I've been digging the internet for a whole night but there's too little information.
Any help will be greatly appreciated.

Did something change two weeks ago? What version are you on? Did you upgrade?

Did you see the template when you first posted as that is the best format to fill things out as it helps us without asking for questions that are part of the template.

Can you run the command with a debug log -vv and share the output?

Thanks for the swift reply. I left a draft a while back. That must have overwritten the template. Sorry about that.
No I've been too busy these several weeks and I left everything untouched.
Here's the additional info about my rclone:
(Both the server and client are using the same version.)

rclone v1.51.0
- os/arch: linux/amd64
- go version: go1.13.7

And I tried setting log level to debug as you suggested, but sadly nothing happened.(Aside from the common traffic with google drive, rclone didn't log anything when I tried to access the webdav) I think the traffic didn't even make it through nginx. And I am having an ERR_SSL_PROTOCOL_ERROR with chrome. Guess there's something wrong with nginx.

Able to test it without the proxy and see if that works?

That's a slightly old version of rclone but not ancient. It might be worth trying on the latest and see if something change ( doubt it though since it was working fine before)

I suspect the tls error message might be due to incompatible ciphers.

Can you allow all the ciphers in nginx and see if that helps. You can the try narrowing them down later if that works.

Thanks for the suggestion.
I tried caddy and it worked just fine :laughing: So there must be something wrong with nginx. Looks like I need to spend some time with nginx..

1 Like

I'm a caddy fan. It serves the rclone website!

OK I've found the solution. The problem was with nginx.
TL;DR:
Just add default_server to the listen directive of nginx config.
So it should look like this:

listen 443 default_server ssl;

I was at my wit's end until I came across with this post.
Not sure about the side-effects as I'm not that familiar with nginx either.
It's pretty strange everything worked just fine few months ago.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.