Cannot open URL

+1 vote
asked Apr 4, 2020 in Bug by anonymous
I'm maintain my own stylesheet and it has been working just fine with the demo server. Since a couple of weeks I have been getting "Cannot open URL" even though it works locally (PlantUML Server 20200319-1304 / version 1202004 ) just fine.

For improved debugging in the future, maybe you can print the message of the IOException in the picture?

Since I don't want to publish my style sheet, maybe somebody can take a look at what exactly happens during rendering. I have tried to host my file on gitlab.com as well as gitlab.io so I'm quite confident it's not your IP being blocked :P

1 Answer

0 votes
answered Apr 4, 2020 by plantuml (294,960 points)
Could you create and host a dummy stylesheet somewhere and post here a simple example that show the issue ?

Thanks,
commented Apr 5, 2020 by plantuml (294,960 points)

Sure, we have to improve our error message.

However, the URL https://puml.gitlab.io/test/puml seems to have an issue.

The best thing to do is to check your URL with "curl". Here our result :

curl -L https://puml.gitlab.io/test/puml
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

I am not sure to fully understand what's going on. I guess that this URL need some authentification ?

commented Apr 15, 2020 by anonymous

You are right, I forgot to set the page to public. I just did that (and have done it before on the real stylesheet) and it still doesn't work on your server for me.

$ curl -s https://puml.gitlab.io/test/puml
!define  color  #272727

commented Apr 15, 2020 by plantuml (294,960 points)
Ok, so we just added some more information about the error

http://www.plantuml.com/plantuml/uml/SoWkIImgAStDuLBCp4lEAKr9BItAKSWeAIaejjBNBm1AwALdbkGa9kbbvkkNf1QNWCMuk8fIaqiIyz9pKXMKGe2YHiPAN0wfUIb0EG00

(your diagram has been slightly modified to avoid cache issue)

I'm not sure about the exact meaning of "received fatal alert handshake_failure". We are going to investigate... Any idea is welcome !
commented Apr 15, 2020 by anonymous
The information about the cache is good to know. So I need to adjust the rectangle's name to get a fresh result?

Handshake smells like a TLS issue. Strangely it works on my server. Maybe there is a different OpenSSL version (or whatever you use) in place?
commented Apr 15, 2020 by plantuml (294,960 points)

So I need to adjust the rectangle's name to get a fresh result?

Yes, because any change in your text diagram will change the URL. This way, you are sure that no proxy is caching the image between you and our server.

Maybe there is a different OpenSSL version (or whatever you use) in place?

Ok, we are going to investigate. We need to be cautious here because we don't want to break our service :-)

We'll post a message here when we will have some news

commented Apr 15, 2020 by anonymous
I have deactivated the redirect from http->https and can confirm http works. So it's most likely not some source ip blacklisting - would be strange if they did that for https only.

I also ran Qualy's Ssl-Test against gitlab.io and it confirms Java 8u161+ should work.

That brings me to end of my wits though. Maybe you can try something like jcurl (https://github.com/eeichinger/jcurl) from inside the server to check if the problem is server-related or plantuml-related?

I can provide versions etc. from my working server if you want to compare. Do you use your own docker image (then I could try that too) or run puml natively?
commented Apr 15, 2020 by plantuml (294,960 points)

I can provide versions etc. from my working server if you want to compare. Do you use your own docker image (then I could try that too) or run puml natively?

Thanks, but we have enough information to work right now.

It's also working from our dev server. So I am pretty sure that the issue comes from the fact that our prod server uses a too old version of Java, which have issue with latest TLS version. So we probably *just* need to upgrade our JVM.

Now the real issue is that we must to that without any service interruption. It's not that hard but we need to prepare the migration carefully...

Don't worry, we'll do it ! In the meantime, maybe you could use http instead of https (temporary)

commented Apr 15, 2020 by anonymous
Yeah no worries. Thanks for your efforts :)
commented Apr 19, 2020 by plantuml (294,960 points)
We've just upgraded our JVM on our prod server.

It seems to work fine now :-)

Tell us if you find regressions !

Thanks,

Arnaud
...