Blocked? Curl returned with 35!

Cant create SSL on 31.184.222.220

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: edu.gosweb.ru

I ran this command: create LE certificate from Bitrix

It produced this output:TASK [web : register dehydrated] ***********************************************
fatal: [edu.gosweb.ru]: FAILED! => {"changed": true, "cmd": "/home/bitrix/dehydrated/dehydrated --register --accept-terms", "delta": "0:00:15.888861", "end": "2022-01-08 17:51:07.390110", "msg": "non-zero return code", "rc": 1, "start": "2022-01-08 17:50:51.501249", "stderr": "ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 35)\nEXPECTED value GOT EOF", "stderr_lines": ["ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 35)", "EXPECTED value GOT EOF"], "stdout": "# INFO: Using main config file /home/bitrix/dehydrated/config", "stdout_lines": ["# INFO: Using main config file /home/bitrix/dehydrated/config"]}

My web server is (include version):Bitrix Env (Apache+Ansible)

The operating system my web server runs on is (include version):Centos 7

My hosting provider, if applicable, is:Selectel

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Bitrix Env
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):dehydrated

3 Likes

Hi, @sastor,

We're not blocking or rate limiting your IP addresses, but your report looks like it's related to this problem that we're investigating: API service disruption for Russian subscribers

6 Likes

Hi, @sastor,

Could you please show us the output of a traceroute to acme-v02.api.letsencrypt.org? Feel free to either post it here or send it to me as a direct message.

5 Likes

ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=62 time=0.773 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=62 time=0.554 ms

traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 5.23.48.1 (5.23.48.1) 10.422 ms 10.250 ms 10.180 ms
2 spx-ix.as13335.net (194.226.100.129) 1.435 ms 1.437 ms 1.419 ms
3 * * *
4 * * *

./dehydrated -c

INFO: Using main config file /home/bitrix/dehydrated/config

Processing bitrix24.split-system54.ru

  • Checking domain name(s) of existing cert... unchanged.
  • Checking expire date of existing cert...
  • Valid till Mar 17 22:00:14 2022 GMT (Longer than 20 days). Skipping renew!
    Processing split-system54.ru with alternative names: bitrix24.split-system54.ru
  • Checking domain name(s) of existing cert... unchanged.
  • Checking expire date of existing cert...
  • Valid till Jan 6 22:00:33 2022 GMT (Less than 20 days). Renewing!
  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting new certificate order from CA...
    ERROR: Problem connecting to server (head for https://acme-v02.api.letsencrypt.org/acme/new-nonce; curl returned with 35)
  • ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)

Details:
HTTP/1.1 100 Continue

HTTP/1.1 400 Bad Request
Server: nginx
Date: Sun, 09 Jan 2022 06:03:05 GMT
Content-Type: application/problem+json
Content-Length: 112
Connection: keep-alive
Boulder-Requester: 122282794
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 00028uh0JMprAefJQ8PRC6ECDPVPrnYlWqJBTyh5NyEkYxE

{
"type": "urn:ietf:params:acme:error:badNonce",
"detail": "JWS has no anti-replay nonce",
"status": 400
}

if remove --ipv4 and --http1.0 from CURL_OPTS

./dehydrated -c

INFO: Using main config file /home/bitrix/dehydrated/config

ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 35)
EXPECTED value GOT EOF

curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

dehydrated version 0.7.1

3 Likes

[root@edu ~]# ping acme-v02.api.letsencrypt.org

PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.

64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=60 time=1.50 ms

64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=60 time=1.48 ms

64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=3 ttl=60 time=1.39 ms

64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=4 ttl=60 time=1.47 ms

64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=5 ttl=60 time=1.52 ms

64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=6 ttl=60 time=1.46 ms

64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=7 ttl=60 time=1.52 ms

64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=8 ttl=60 time=1.49 ms

64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=9 ttl=60 time=1.45 ms

2 Likes

[root@edu ~]# traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 10.149.215.1 (10.149.215.1) 0.600 ms 0.483 ms 0.470 ms
2 92.53.93.91 (92.53.93.91) 1.325 ms 92.53.93.89 (92.53.93.89) 1.264 ms 1.240 ms
3 92.53.93.14 (92.53.93.14) 1.457 ms 1.423 ms 1.426 ms
4 spx-ix.as13335.net (194.226.100.129) 2.251 ms 2.678 ms *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

3 Likes

На МСК-9 прерывается. Хмм.
It seems to be interrupted on MSK-IX (Moscow-9)

Заметил пару дней назад, думал, что причина - в перенастройке битрикс-окружения. Но скорее всего проблема существует наверное числа с 5 января
I noticed a couple of days ago, I thought that the reason was in reconfiguring the Bitrix environment. But most likely the problem exists probably since January 5

3 Likes

Проблема также наблюдается и в панели управления ispmanager6. Причем с 3 января, хотя были дни-исключения
The problem is also observed in the ispmanager6 control panel. And since January 3, although there were days-exceptions

3 Likes

We believe the network routing problem from the St. Petersburg, Russia region is now resolved. If you're still having trouble, please let us know. Thanks for your patience!

5 Likes

I'll try to get the cert and write back later.

traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 10.149.215.1 (10.149.215.1) 0.505 ms 0.458 ms 0.415 ms
2 92.53.93.89 (92.53.93.89) 1.137 ms 1.076 ms 1.061 ms
3 109.239.136.210 (109.239.136.210) 75.682 ms 26.449 ms 75.618 ms
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *

3 Likes

OK
It works
Thank you

4 Likes

Yes, everything is ok now. Thanks

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.