Acme-v02.api.letsencrypt.org sends RST right after connecting

webprofusion · November 3, 2022, 4:00am

Do you have a working https site on your server you can share a domain for? That way we can review the tls cipher suite it's currently likely to be trying.

mirko1 · November 3, 2022, 7:25am

@webprofusion Yes, you can try this one: https://www.tiplon.hr/.
Although, I don't see the point, since connection drops before any data is transmitted. Here is the Wireshark trace:
https://shop.elsam.hr/172.65.32.248f.zip

webprofusion · November 3, 2022, 8:30am

Thanks, sorry I'm out of ideas. Yes the Wireshark capture looks like Let's Encrypt are forcibly disconnecting. Does outgoing TCP traffic definitely leave your network as the public IP 212.92.212.115 ? Could it be another IP? Does googling "whats my ip" from the server desktop return the expected result?

mirko1 · November 3, 2022, 9:10am

Public IP is 212.92.212.115, confirmed. https://www.showmyip.com/

rg305 · November 3, 2022, 4:51pm

Please show the output of:
openssl s_client -connect 172.65.32.248:443

[assuming you have (or can get) openssl for Windows]

Bruce5051 · November 3, 2022, 4:54pm

This is where I get OpenSSL for Windows.
https://slproweb.com/products/Win32OpenSSL.html

mirko1 · November 3, 2022, 5:55pm

Useless, connection drops immediately. Check the trace from Wireshark ("handshake has read 0 bytes").

CONNECTED(00000154)
write:errno=10054
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

rg305 · November 3, 2022, 5:59pm

Please show a trace route:
tracert -d acme-v02.api.letsencrypt.org

mirko1 · November 3, 2022, 6:14pm

Tracing route to ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com [172.65.32.248]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.0.20.1
  2     *        *        *     Request timed out.
  3     1 ms     1 ms     1 ms  10.127.105.54
  4     1 ms     1 ms     1 ms  213.147.96.78
  5     1 ms     1 ms     1 ms  213.147.96.77
  6     1 ms     1 ms     1 ms  83.139.120.25
  7     1 ms     1 ms     1 ms  185.1.87.115
  8     1 ms     1 ms     1 ms  172.65.32.248

Trace complete.

mirko1 · November 3, 2022, 6:51pm

I managed to renew certificates using other IP address. However, the problem is still here. Could someone please double-check if this IP (212.92.212.115) is blocked somehow?

Bruce5051 · November 3, 2022, 7:10pm

I can ping it from 2 different locations

$ ping 212.92.212.115
PING 212.92.212.115 (212.92.212.115): 56 data bytes
64 bytes from 212.92.212.115: icmp_seq=0 ttl=27 time=186.793 ms
64 bytes from 212.92.212.115: icmp_seq=1 ttl=27 time=184.490 ms
64 bytes from 212.92.212.115: icmp_seq=2 ttl=27 time=180.419 ms
64 bytes from 212.92.212.115: icmp_seq=3 ttl=27 time=183.242 ms
^C
--- 212.92.212.115 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 180.419/183.736/186.793/2.300 ms

Mostly pingable with Check report was removed: Check host - online website monitoring
http accessible Check report was removed: Check host - online website monitoring
https not accessible Check report was removed: Check host - online website monitoring

orangepizza · November 3, 2022, 7:59pm

172.65.32.248 is cloudflare ip but it does send RST right after connect.
dead CF datacenter maybe?
looks like it geoblocked anything outside NA and EU or so

orangepizza · November 4, 2022, 5:20am

@lestaff cf reverse proxy ip given for acme-v02.api (172.65.32.248) points to broken cf webserver(tcp reset) in APEC region, or wrong geoblocking rule. tested and confirmed broken in (hk,sg,jp,sk) can you hit CF people to reassign a new reverse proxy address for us?

_az · November 4, 2022, 11:19am

+1, I have a customer who is having a similar issue from Bangladesh.

Fine for me in APAC (Australia) though.

mcpherrinm · November 4, 2022, 5:40pm

Cloudflare uses Anycast PoPs so the IP alone isn't much help -- that's what it resolves to for everyone.

If I could the output of https://www.cloudflare.com/cdn-cgi/trace that would help with talking to Cloudflare.

_az · November 4, 2022, 8:07pm

Is there a CLI version of this data for headless servers? Like the /cdn-cgi/trace from their HTTP proxy product? I don't think I can easily ask for this information.

mcpherrinm · November 4, 2022, 8:08pm

https://www.cloudflare.com/cdn-cgi/trace would be helpful; I think it should be the same pops either way.

_az · November 4, 2022, 8:09pm

Thanks, I'll get that info. One affected client IP is: 192.144.82.200.

mirko1 · November 4, 2022, 9:25pm

Can't connect to www.cloudflare.com. Same like acme-v02.api.letsencrypt.org, RST after connecting.

mcpherrinm · November 4, 2022, 9:35pm

Thanks. That definitely seems like this is some kind of problem on Cloudflare. I'll update this thread with whatever I get back from them.