I’ve got an idea why that error might be happening: Because of certbot only being capable of getting rsa certs I’ve got an rsa cert and so my server can only support e.g. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 while your server provides e.g. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and all of that paired with an ecc client cert (It stops after the frame the (among others) includes the client cert).
That’s just a thought and I can’t inspect more in wireshark, because of encryption and I don’t get the keylog (like in https://github.com/joneskoo/http2-keylog) implemented (I’m not using go, help appreciated).
I might try it with nginx, but I don’t know for sure as that involves downtime.
I guess maybe make sure your apache actually speaks and accepts ECDSA etc. Apart from that I have no idea. Our crypto settings aren’t especially cutting edge, the certs etc have been the same for many years. Our global nginx setup is many years old and using mostly defaults.
I guess maybe make sure your apache actually speaks and accepts ECDSA
It can’t because of certbot pending ecdsa support and you can’t use ecdas without an ecdsa cert (That has nothing to do with how new or old your nginx is).
If this is the problem this would be a problem with the golang client implementation.
The problem is as I do not know go I can’t even transform curl -v -X POST --cert cert.pem --key key.pem https://<redacted> -d '{"addresses":["tcp://0.0.0.0:22000"]}' -H "Content-Type: application/json" into go code to test if this already breaks
Maybe your Apache doesn’t have support for ECC? There are all kinds of broken setups, FIPS compliant ssl libs, and so on. My point is that if we agree for the sake of argument that Go and Apache are generally compatible it boils down to configuration on either side. On the Go side there is not much set apart from the defaults. On the Apache side there are literally hundreds of variables. But feel free to file it as a Go bug.
C) It uses upstream openssl 1.1.1 and quite upstream apache (the ubuntu one, which essentially - if it has any changes - only has changes to the config file locations)