Acme-v02.api.letsencrypt.org sends RST right after connecting

Hello,

trying to renew certificates, every time acme-v02.api.letsencrypt.org resets the connection right after connecting.

This happens only with one IP address, everything else works fine.

Here is output from wacs.exe --verbose:
[DBUG] Send GET to https://acme-v02.api.letsencrypt.org/
[EROR] Failed to create order
System.Net.Http.HttpRequestException: An error occurred while sending the request.
---> System.Net.Http.WinHttpException (80072EFF, 12030): Error 12030 calling WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, 'The connection with the server was terminated abnormally'.
at System.Net.Http.WinHttpHandler.StartRequestAsync(WinHttpRequestState state)
--- End of inner exception stack trace ---
at PKISharp.WACS.Services.ProxyService.LoggingHttpClientHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync(Uri uri, HttpMethod method, Object message, HttpStatusCode expectedStatuses, Boolean skipNonce, Boolean skipSigning, Boolean includePublicKey, CancellationToken cancel, String opName)
at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync[T](Uri uri, HttpMethod method, Object message, HttpStatusCode expectedStatuses, Boolean skipNonce, Boolean skipSigning, Boolean includePublicKey, CancellationToken cancel, String opName)
at ACMESharp.Protocol.AcmeProtocolClient.GetDirectoryAsync(String relativeUri, CancellationToken cancel)
at PKISharp.WACS.Clients.Acme.AcmeClient.<>c__DisplayClass25_0.<b__1>d.MoveNext()
--- End of stack trace from previous location ---
at PKISharp.WACS.Clients.Acme.AcmeClient.Backoff[T](Func1 executor, Int32 attempt) at PKISharp.WACS.Clients.Acme.AcmeClient.EnsureServiceDirectory(AcmeProtocolClient client) at PKISharp.WACS.Clients.Acme.AcmeClient.ConfigureAcmeClient() at PKISharp.WACS.Clients.Acme.AcmeClient.GetClient() at PKISharp.WACS.Clients.Acme.AcmeClient.CreateOrder(IEnumerable1 identifiers)
at PKISharp.WACS.Clients.Acme.OrderManager.CreateOrder(String cacheKey, Target target)

Can you show the affected IP address?

7 Likes

Hi @mirko1, and welcome to the LE community forum :slight_smile:

Also, please show a timestamp of when this occured.

7 Likes

IP address is 212.92.212.115.
Timestamp:
Oct 30, 2022 20:33:46.179128000 Central European Standard Time

1 Like

Does the error still occur?

@lestaff Is the shown IP blocked?

7 Likes

Yes, it still occurs

1 Like

Using https://check-host.net/ is showing Ping Results that are a bit questionable.
this is a Permanent link to this check report
Ping server, ping website: Check host - online website monitoring

4 Likes

No, we are not blocking this IP address.

7 Likes

Are you running the latest version of wacs?

5 Likes

Check your server is configured to support TLS 1.2, in particular old versions like Server 2012 may not be configured to use TLS 1.2 by default.

{ Running Nartac Software - IIS Crypto in Best Practices mode is a good start but it's limited on Server 2012 due to some Cipher suites not being available.]

7 Likes

HTTP request to their IP has a "Server: Microsoft-IIS/10.0" response header. Is that likely to be an older OS version?

6 Likes

In that case, no, that's Server 2019 2016 or higher. So it's unlikely to be a problem with TLS 1.2 not being enabled.

@mirko1 do you have outgoing https (tcp port 443) blocked on Windows Firewall or have you changed the firewall rules recently? I assume you don't have a proxy configured for outgoing internet. Can you open https://acme-v02.api.letsencrypt.org/directory on the server desktop browser?

6 Likes

I don't have any blocking rules for outgoing traffic on Windows Firewall, only for incoming.
I can't open https://acme-v02.api.letsencrypt.org/directory in browser - after initial TCP handshake, I get RST message from the server. Same for all ports, 80, 443, ... actually any port I tried behaves the same way.
There's no proxy, but the server is behind firewall/NAT router, which is beyond my reach. I checked with the person who maintains the router (I did this first), and he claims there were no recent changes in configuration.

Ok, so can you double check that TLS 1.2 is enabled? The Let's Encrypt API won't talk TLS 1.1 etc

[reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" should return Enabled REG_DWORD 0x1]

6 Likes

I (double)checked - yes, it's enabled. Anyway, connection drops before any data is transmitted, long before TLS negotiation.

Ok, if your browser cannot connect thing it's not win-acme that's the problem, you'll need to check connectivity to https://acme-v02.api.letsencrypt.org/directory from other machines to narrow it down. Your firewall administrator will need to confirm whether the outgoing request is matching any of their rules or if it's failing outside your network.

6 Likes

Only HTTPS (port 443) should work. Using HTTP:// (port 80) should fail. With curl on Ubuntu my message is "Connection reset by peer" for example

And, what version of Windows are you running?

6 Likes

Server 2016

Have you checked other outbound https domains work? Like

powershell invoke-webrequest https://acme-v02.api.letsencrypt.org/directory

and 

powershell invoke-webrequest https://google.com

(I don't have WinServer 2016 but these work on Win10)

6 Likes

I did. google.com works.

1 Like