SSL Error : LibreSSL SSL_connect: SSL_ERROR_SYSCALL or openssl s_client write:errno=54

   Trying 1.1.1.1....
* TCP_NODELAY set
* Connected to example.com (1.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
openssl s_client -connect example.com:443 -msg 
CONNECTED(00000006)
>>> TLS 1.2 Handshake [length 00bf], ClientHello
*
*
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

If you are trying to connect to the site and its throwing above error then

Its MOST probably an issue with your SSL certificates private key. Sometime the way Private keys are placed on the your proxy/web/server end gets corrupted while copy pasting and its not able to send the response as “Server hello” As you can see above.

Double check with Private key if its base64 decode format to make sure the keys are matching correctly.

Also sometime the keys format are in following format.

-----BEGIN PRIVATE KEY-----
MIIEv******************************************EQ
*
*
-----END PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-XXXX-CBC,11111111

mJiISQA***************************KJUH/ijPU
*
*
-----END RSA PRIVATE KEY-----⏎

If you see above the 1st key do not have RSA string in it.

The 2nd key have some other strings in first 2 lines before it started encoded string.

This creates issue on SSL cert at server side while responding to the request. Depending on what kind of server you are running you should convert your .pem/.pfx file in correct private key format.


-----BEGIN RSA PRIVATE KEY-----
***
-----END RSA PRIVATE KEY-----⏎

To FIX this: You need to get your private key in correct format by using following command.

# RSA private key

openssl pkcs12 -in myfile.pfx -nocerts -nodes | openssl rsa -out privkey.pem

Some other handy command.

openssl x509 -text -noout -in /tmp/cert.kn
#if your .pfx/.pem file is password protected.
echo "YOUR_PASSWORD" > passfile

# Public Key
openssl pkcs12 -in myfile.pfx -nokeys -out certificate.pem -passin file:passfile
# RSA private key
openssl pkcs12 -in myfile.pfx  -nocerts -nodes | openssl rsa -out privkey.pem
# Private key
openssl pkcs12 -in myfile.pfx -nocerts -out private-key.pem -nodes

## if you want to use on AWS Certificate Manager.
openssl pkcs12 -in $pfx_cert -nocerts -nodes -passin file:passfile | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > $certs_dir/server.key
openssl pkcs12 -in $pfx_cert -clcerts -nokeys -passin file:passfile -out $certs_dir/cert.pem
openssl pkcs12 -in $pfx_cert -cacerts -nokeys -passin file:passfile -out $certs_dir/chain.pem

Hope this is helpful!