Assistance with http/2 connections to origin

[CanOfSocks]

I am having a lot of trouble connecting to my apache2 web server origin using the trafficserver docker.

On the web server origin, I have several remote hosts, with the remap rules:

map http://vhost1.canofsocks.com/ https://192.168.4.5:443/ @plugin=slice.so @pparam=--blockbytes=10m  @pparam=--prefetch-count=3 @pp>
map http://vhost2.canofsocks.com/ https://192.168.4.5:443/ @plugin=slice.so @pparam=--blockbytes=10m  @pparam=--prefetch-count=3 @ppa>
map http://vhost3.canofsocks.com/ https://192.168.4.5:443/
map http://vhost4.canofsocks.com/ https://192.168.4.5:443/

My assumption is the issue lies with the result of this curl command within the traffic server docker:

curl -v -k --resolve vhost2.canofsocks.com:443:192.168.4.5 https://vhost2.canofsocks.com/
* Added vhost2.canofsocks.com:443:192.168.4.5 to DNS cache
* Hostname vhost2.canofsocks.com was found in DNS cache
*   Trying 192.168.4.5:443...
* Connected to vhost2.canofsocks.com (192.168.4.5) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, handshake failure (552):
* BoringSSL: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE
* Closing connection
curl: (35) BoringSSL: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE

Which succeeds on the host machine the docker is on:

curl -v -k --resolve vhost2.canofsocks.com:443:192.168.4.5 https://vhost2.canofsocks.com/
* Added vhost2.canofsocks.com:443:192.168.4.5 to DNS cache
* Hostname vhost2.canofsocks.com was found in DNS cache
*   Trying 192.168.4.5:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / ED25519
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=None; L=None; O=None; CN=*
*  start date: Sep 12 08:24:05 2025 GMT
*  expire date: Sep 10 08:24:05 2035 GMT
*  issuer: C=US; ST=None; L=None; O=None; CN=*
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type ED25519 (256/128 Bits/secBits), signed using ED25519
* Connected to vhost2.canofsocks.com (192.168.4.5) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://vhost2.canofsocks.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: vhost2.canofsocks.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.14.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: vhost2.canofsocks.com
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200
< last-modified: Tue, 18 Nov 2025 18:36:47 GMT
< etag: "46e-643e2bf0ec06b"
< accept-ranges: bytes
< content-length: 1134
< cache-control: max-age=1800
< expires: Wed, 19 Nov 2025 11:08:16 GMT
< vary: Accept-Encoding
< x-content-type-options: nosniff
< x-frame-options: sameorigin
< x-xss-protection: 0
< x-robots-tag: noindex, nofollow
< x-permitted-cross-domain-policies: none
< referrer-policy: no-referrer
< content-type: text/html; charset=UTF-8
< date: Wed, 19 Nov 2025 10:38:16 GMT
< server: Apache
<
<!DOCTYPE html>
<html lang="en">
  ...
  </body>
* Connection #0 to host vhost2.canofsocks.com left intact

I am using a self-signed certificate as security is not an issue, only required for http2 to work for traffic server. Ideally, I'd like to use HTTP2 cleartext, but this does not appear to be mentioned as supported in the documentation.

I have attempted to set up a ssl key and certificate from within the docker:
openssl genpkey -algorithm ed25519 -out /opt/etc/trafficserver/ssl/canofsocks.key -outform PEM
openssl req -new -x509 -key /opt/etc/trafficserver/ssl/canofsocks.key -out /opt/etc/trafficserver/ssl/canofsocks.crt -days 3650 -subj "/CN=*.canofsocks.com" -addext "subjectAltName = DNS:canofsocks.com, IP:192.168.4.5" -outform PEM

I have also included this line in ssl_multicert:
dest_ip=192.168.4.5 ssl_cert_name=/opt/etc/trafficserver/ssl/canofsocks.crt ssl_key_name=/opt/etc/trafficserver/ssl/canofsocks.key

A possible related error in the debug logs of diags.log:

[Nov 19 01:25:21.767] traffic_server NOTE: (ssl) ssl_multicert.config loading ...
[Nov 19 01:25:21.772] traffic_server WARNING: (ssl) Failed to insert SSL_CTX for certificate /opt/etc/trafficserver/ssl/canofsocks.crt  entries for names already made
[Nov 19 01:25:21.773] traffic_server NOTE: /opt/etc/trafficserver/ssl_multicert.config finished loading
[Nov 19 01:25:21.773] traffic_server NOTE: (quic) ssl_multicert.config loading ...
[Nov 19 01:25:21.773] traffic_server WARNING: (quic) Failed to insert SSL_CTX for certificate /opt/etc/trafficserver/ssl/canofsocks.crt  entries for names already made

Finally, I have these "Unknown" errors in my errors.log:

20251118.11h15m10s CONNECT: attempt fail [CONNECTION_ERROR] to 192.168.4.5:443 for host='vhost2.canofsocks.com' connection_result=Unknown [-20104] error=Unknown [-20104] retry_attempts=0 url='https://192.168.4.5:443/rss/rss.xml'
20251118.11h15m11s CONNECT: attempt fail [CONNECTION_ERROR] to 192.168.4.5:443 for host='vhost2.canofsocks.com' connection_result=Unknown [-20104] error=Unknown [-20104] retry_attempts=1 url='https://192.168.4.5:443/rss/rss.xml'
20251118.11h15m12s CONNECT: attempt fail [CONNECTION_ERROR] to 192.168.4.5:443 for host='vhost2.canofsocks.com' connection_result=Unknown [-20104] error=Unknown [-20104] retry_attempts=2 url='https://192.168.4.5:443/rss/rss.xml'

A behaviour I have also noticed is that the curl commands from the host machine that the traffic server is running on, the connection is logged, whereas no attempts from traffic server or curl commands from within the traffic server container do not register, leading me to believe the request fails before attempting to connect to traffic server.

Finally my records.yaml:
records.yaml

At this stage, I am at my limit of knowledge of how to fix the issues I am facing. Any assistance would be greatly appreciated.