HTTPS Handshake Failure during API enrichment


I’ve created an API enrichment that runs fine against a local dev server over HTTP, but when running against an HTTPS server I get the following error:

"errors":[{"level":"error","message":" Received fatal alert: handshake_failure"}]

I can successfully curl to the HTTPS server from the machine that’s running the enrichment, and all is fine. I’ve checked the java keystore, and it appears to contain the root verisign certificate used by the server. Is there any way to get a more verbose error message here? Thanks!


My current guess is this is related to AWS API Gateway using SNI certificates - I can connect to an HTTPS site that isn’t using SNI. Has anyone else created an API enrichment that connects to an SNI HTTPS host? Any ideas on how I could configure/patch the code to fix this? Thanks!


This ended up to be an issue with Java 8, related to this issue:

I’d switched to Java 8 because Java 7 is no longer easily available, and apparently there’s a bug in Java 8 with SNI where it doesn’t work unless the HTTPS object is initialized correctly:

I’ve changed to using openjdk-7 instead of the no longer available oracle 7, and so far everything seems to be working OK.

Java 7 is no longer downloadable when firing up Snowplow using Vagrant

That’s odd @mrosack - we haven’t had the same problem with the CI/CD for our incoming R89 release, which also uses Java 8:


The bug with TLS seemed to be in the akka library (fixed in 2.4.3 - see github issue above), and it looks like you guys have moved away from akka for the new enrichment process, so it’ll probably be good going forward. But I’m definitely having issues connecting to TLS sites with java 8 with the current enrichment code. Thanks!