Hi, I wanted to open an issue on Github which is unfortunately disabled in the on-prem repo. The renewal of certs is no longer working as the cron job won’t start anymore. The log of the docker container gives the following error:
SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: xxx, server: xxx
I first though I might have an outdated version of the container but when I checked docker-hub the last update of this container has been 7 years ago tryretool/https-portal - Docker Image
This leads to the certs no longer being auto-updated which led to an expired cert on our end with a disruption of service.
The SSL_do_handshake() / version too low message only seems to occur when the HTTPS termination container is making an outbound TLS connection which most commonly happens during Let’s Encrypt certificate renewal job.
In your setup, the tryretool/https-portal image is responsible for TLS termination and cert auto renewal. You are correct that the image we use hasn’t been updated in several years and relies on older TLS/OpenSSL defaults. Let’s Encrypt endpoints may now require TLS 1.2+ which could cause something like this to now happen and mention the version is no longer supported.
Retool itself doesn’t manage TLS or certificate renewal in on-prem deployments, so upgrading or restarting Retool wouldn’t affect this behavior. We would recommend replacing https-portal with a more modern and actively maintained TLS solution (ie. NGINX + certbot, Traefik, Caddy, or a cloud load balancer) to restore reliable certificate renewal going forward. Configure SSL and custom certificates | Retool Docs