Running into an issue here with workers, where I cannot curl specifically in San Francisco. When I VPN somewhere else it works. I have tried on multiple different machine

curl -vv https://oai.hconeai.com
*   Trying [2606:4700::6812:cba]:443...
* Connected to oai.hconeai.com (2606:4700::6812:cba) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

Not seeing a CAA record

$ dig CAA oai.hconeai.com

; <<>> DiG 9.10.6 <<>> CAA oai.hconeai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6659
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;oai.hconeai.com.        IN    CAA

;; AUTHORITY SECTION:
hconeai.com.        1800    IN    SOA    hattie.ns.cloudflare.com. dns.cloudflare.com. 2342329865 10000 2400 604800 1800

;; Query time: 13 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Mon May 27 22:44:50 BST 2024
;; MSG SIZE  rcvd: 122

$ dig CAA hconeai.com

; <<>> DiG 9.10.6 <<>> CAA hconeai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10315
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;hconeai.com.            IN    CAA

;; AUTHORITY SECTION:
hconeai.com.        1800    IN    SOA    hattie.ns.cloudflare.com. dns.cloudflare.com. 2342329865 10000 2400 604800 1800

;; Query time: 12 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Mon May 27 22:44:53 BST 2024
;; MSG SIZE  rcvd: 118

only weird thing i'm seeing immediately

what colo and what's your ray ID when hitting with the cert error?

Thanks @foggy sun for your message

I am not able to get any more information

 curl -vv -I https://oai.hconeai.com
*   Trying [2606:4700::6812:dba]:443...
* Connected to oai.hconeai.com (2606:4700::6812:dba) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

The weird issue here is that I am able to deploy a new worker under a different domain and it works correctly... We actually have a bunch of domains pointing to the same worker...

Here are a few

Domains that do not work

• https://together.hconeai.com
• https://oai.hconeai.com

Domains that do work

• https://oai.eu.hconeai.com
• https://oai.helicone.ai

Some other weird notes and behavior

The issue is not operating system specific and is happening location specific.

When I join a VPN I do not run into this issue. Running from different computers, at different locations within San Francisco cause this issue to happen.

I have tried thes following environments

MacOS + Node + (Lower Haight SF)
MacOS + Curl + (Lower Haight SF)
Ubuntu + Curl + (Lower Haight SF)
MacOS + Node + (Downtown SF)
MacOS + Curl + (Downtown SF)

I have attempted on multiple devices and the issue persists. I tried clearing my computer's DNS cache as well and that did not help. I also was experiencing some issues with ipv6 and forcing it to be ipv4 does not help.

Right now I deployed another worker on another domain to unblock some customers https://oai.helicone.ai

@foggy sun here are the Ticket IDs I have created

#3276797
#3274350
#3273394

can you do a curl https://cloudflare.com/cdn-cgi/trace and send the output (but censor the ip=)

i can check the tickets in a bit (please note, creating multiple just slows down the process)

they are separate issues, maybe I can resolve them and put all my notes into 1 massive ticket?

ok cool, if they're separate then it's all good

curl https://cloudflare.com/cdn-cgi/trace
fl=465f161
h=cloudflare.com
ip=
ts=1716855598.869
visit_scheme=https
uag=curl/8.4.0
colo=SJC
sliver=none
http=http/2
loc=US
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
rbi=off
kex=X25519

ty - i tested sjc earlier and it seemed to work for me, i'll check it a bit more in a little. let me finish this hearthstone game

yeah not seeing anything weird, added myself to all 3 tickets and will chat to support folk tomorrow

Thanks Walshy - Happy to provide more information if needed