Errors in docker logs

YerayAlonso · November 25, 2024, 9:03pm

I keep getting errors on docker logs, even with the simple example TLS Challenge from the docs:

I just run docker logs -f traefik to see the logs in --log.level=DEBUG:

2024-11-25T21:40:19+01:00 ERR github.com/traefik/traefik/v3/pkg/server/router/tcp/router.go:407 > Error while peeking client hello bytes error=EOF
2024-11-25T21:40:19+01:00 DBG log/log.go:245 > http: TLS handshake error from 91.251.4.38:33248: tls: first record does not look like a TLS handshake

And it keeps showing more and more like those

2024-11-25T21:57:27+01:00 ERR github.com/traefik/traefik/v3/pkg/server/router/tcp/router.go:407 > Error while peeking client hello bytes error=EOF
2024-11-25T21:57:27+01:00 DBG log/log.go:245 > http: TLS handshake error from 2.190.86.162:22917: tls: first record does not look like a TLS handshake
2024-11-25T21:57:28+01:00 DBG log/log.go:245 > http: TLS handshake error from 5.209.157.229:58082: tls: unsupported SSLv2 handshake received
2024-11-25T21:57:29+01:00 ERR github.com/traefik/traefik/v3/pkg/server/router/tcp/router.go:407 > Error while peeking client hello bytes error=EOF
2024-11-25T21:57:29+01:00 DBG log/log.go:245 > http: TLS handshake error from 2.187.123.159:47970: tls: first record does not look like a TLS handshake
2024-11-25T21:57:29+01:00 ERR github.com/traefik/traefik/v3/pkg/server/router/tcp/router.go:407 > Error while peeking client hello bytes error=EOF
2024-11-25T21:57:29+01:00 DBG log/log.go:245 > http: TLS handshake error from 5.209.10.43:51826: tls: first record does not look like a TLS handshake
2024-11-25T21:57:30+01:00 DBG log/log.go:245 > http: TLS handshake error from 77.77.70.110:31326: tls: unsupported SSLv2 handshake received
2024-11-25T21:57:32+01:00 ERR github.com/traefik/traefik/v3/pkg/server/router/tcp/router.go:407 > Error while peeking client hello bytes error="read tcp 172.18.0.2:443->204.18.161.142:9440: i/o timeout"
2024-11-25T21:57:32+01:00 DBG log/log.go:245 > http: TLS handshake error from 204.18.161.142:9440: tls: first record does not look like a TLS handshake
2024-11-25T21:57:42+01:00 DBG log/log.go:245 > http: TLS handshake error from 5.211.101.24:45413: tls: unsupported SSLv2 handshake received
2024-11-25T21:57:45+01:00 ERR github.com/traefik/traefik/v3/pkg/server/router/tcp/router.go:407 > Error while peeking client hello bytes error=EOF
2024-11-25T21:57:45+01:00 DBG log/log.go:245 > http: TLS handshake error from 5.211.189.44:34361: tls: first record does not look like a TLS handshake
2024-11-25T21:57:48+01:00 DBG log/log.go:245 > http: TLS handshake error from 5.211.101.24:45434: tls: unsupported SSLv2 handshake received
2024-11-25T21:57:49+01:00 DBG log/log.go:245 > http: TLS handshake error from 80.87.206.66:35484: tls: unsupported SSLv2 handshake received
2024-11-25T21:57:49+01:00 ERR github.com/traefik/traefik/v3/pkg/server/router/tcp/router.go:407 > Error while peeking client hello bytes error=EOF

I've also tried the http challenge with the same result.
I'm also having the same issue with Traefik v2.

bluepuma77 · November 25, 2024, 9:51pm

It seems you have a Traefik TLS entrypoint and someone connects without TLS. In the Internet this happens all the time.

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

YerayAlonso · November 26, 2024, 7:19am

Sure!

services:

  traefik:
    image: "traefik:v3.2"
    container_name: "traefik"
    command:
      - --log.level=DEBUG
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entryPoints.websecure.address=:443
      - --certificatesresolvers.le.acme.tlschallenge=true
      - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.le.acme.email=postmaster@example.com
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
    ports:
      - 443:443
    volumes:
      - ./letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro

  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`dev.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=le"

To post it here, I only changed the values for the acme.email and the whoami.rule

bluepuma77 · November 26, 2024, 11:41am

Seems like a regular config, so probably someone is connecting to your host without TLS. Happens all the time.

Topic		Replies	Views
500 Internal Server Error - tls: first record does not look like a TLS handshake Traefik v1 docker	1	4454	August 21, 2019
I keep getting bad cert Traefik v2 docker-swarm	0	410	November 23, 2019
TLS Handshake Error with Let's Encrypt Certificate via DNS Challenge Traefik v2 docker , letsencrypt-acme	2	2441	July 28, 2022
Traefik 2.10 bad certificate error from letsencrypt due dashboard and other services in spite of insecureSkipVerify Traefik v2 docker , letsencrypt-acme , tcp	2	1603	September 17, 2023
How to log TLS errors Traefik v3 (latest) file	3	10	March 4, 2025

Errors in docker logs

Related topics