All of a sudden a previously working docker deployed cluster stopped accepting any connections:
cqlsh --debug --ssl -u <username> -p <username>
...
Using CQL driver: <module 'cassandra' from '/opt/cassandra/bin/../lib/cassandra-driver-internal-only-3.11.0-bb96859b.zip/cassandra-driver-3.11.0-bb96859b/cassandra/__init__.py'>
Using connect timeout: 300 seconds
Using 'utf-8' encoding
Using ssl: True
Connection error: ('Unable to connect to any servers', {'172.X.X.X': error(1, u"Tried connecting to [('172.X.X.X', 9042)]. Last error: [SSL] internal error (_ssl.c:727)")})
On the node's side there are no exceptions.
It is not a networking issue, because a connection without --ssl option leads to io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record... exception on cassandra nodes (which means it sees the host and can communicate with it).
It is more or less clear that the problem is somewhere with the certificates used for authentication.
Is there any way to get more details about the underlying error?
PS: the issue happens when cassandra 3.11.9 image is used which has been switched to ubuntu-focal: https://github.com/docker-library/cassandra/commit/8b1427f0670684b13e58006c0bf46df18a01ee0b with cassandra 3.11.7 everything is working fine
It seems Cassandra 3.11.8+ requires a newer version of TLS. Forcing it in cqlsh client configuration should help (see How to force SSL TLSv1.2 protocol with DSE).
[connection]
(...)
factory = cqlshlib.ssl.ssl_transport_factory
ssl = true
[ssl]
(...)
version = SSLv23