Can't connect to acme-v02.api.letsencrypt.org from server

Hello,
I'm trying to generate new certs for my domain but I can't connect to letsencrypt api from my new server. The problem didn't occur on the previous server with different ip address.

Searching for similiar problems I stumbled upon this which could be the reason

but that's just a guess. Thanks for your help

@lestaff

Details:
My server domain:

I ran this command:
curl -vvvv -I -L -k https://acme-v02.api.letsencrypt.org/directory

It produced this output:

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

The operating system my web server runs on is:
Ubuntu 21.04

I can login to a root shell on my machine: yes

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Out of curiosity, what ACME client (e.g. certbot) are you using?

@lestaff

Here's the webserver IP address for kislist.com:

135.125.161.250

(aka vps-7fa44fda.vps.ovh.net)

1 Like

Try your curl test with --tlsv1.2 and again with --tlsv1.0

1 Like

That was my suspicion too, @rg305. :face_with_monocle:

1 Like

My suspicion is some inline HTTPS proxy that can't handle TLSv1.3.
[but might handle something lower]

If this is so, then they need to understand where/why that is happening.
[big bother watching]

1 Like

Curl with tls-max set to 1.2 outputs pretty much the same.

curl -vvvv -I -L -k --tlsv1.2 --tls-max 1.2 https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

And for version 1.1

curl -vvvv -I -L -k --tlsv1.2 --tls-max 1.1 https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION
  • Closing connection 0
    curl: (35) CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION
1 Like

hmm...
What about?:

1 Like

the same as for 1.1

curl -vvvv -I -L -k --tlsv1.1 --tls-max 1.0 https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION
  • Closing connection 0
    curl: (35) CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION
1 Like

I'm using docker so the certs are autogenerated with
https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion/

but it outputs ssl errors when calling curl, same for https://acme-v01.api.letsencrypt.org/directory

1 Like

Does it hurt to try:
curl -vvvv -I -L -k --tlsv1.0 https://acme-v02.api.letsencrypt.org/directory
AND/OR
curl -vvvv -I -L -k --tlsv1.3 https://google.com/
curl -vvvv -I -L -k --tlsv1.2 https://google.com/
curl -vvvv -I -L -k --tlsv1.0 https://google.com/

1 Like

Both work for TLSv1.0 (for me)
I get:

curl -ILk --tlsv1.0 https://acme-v02.api.letsencrypt.org/directory
HTTP/2 200
server: nginx
date: Tue, 13 Jul 2021 18:52:27 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0102YpYUzWX-MxxfRJt0tKkGeDPfM_LPahFdY857Jnv9tq8
x-frame-options: DENY
strict-transport-security: max-age=604800

curl -ILk --tlsv1.0 https://google.com/
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Tue, 13 Jul 2021 18:52:46 GMT
expires: Thu, 12 Aug 2021 18:52:46 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

HTTP/2 200
content-type: text/html; charset=ISO-8859-1
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
date: Tue, 13 Jul 2021 18:52:46 GMT
server: gws
x-xss-protection: 0
x-frame-options: SAMEORIGIN
expires: Tue, 13 Jul 2021 18:52:46 GMT
cache-control: private
set-cookie: 1P_JAR=2021-07-13-18; expires=Thu, 12-Aug-2021 18:52:46 GMT; path=/; domain=.google.com; Secure
set-cookie: NID=219=SIKpLGxcfu5sl8OjzHqCsFoyQMnPagcvGLpFCKw2I1Q0QmLjJrjI6XKZ_R_1NpKv6CMxNCg2a2vftJjWCgPPdUcHO7lfONVQfz2-Kwh7xdJV4AF1E3adpEQOE94l5OggVdf7mIvNLmPC5MEhxRPb9y-VXBM3iA6PosVOWER7Zgk; expires=Wed, 12-Jan-2022 18:52:46 GMT; path=/; domain=.google.com; HttpOnly
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
1 Like

curl -vvvv -I -L -k --tlsv1.0 https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
curl -vvvv -I -L -k --tlsv1.3 https://google.com/ 
*   Trying 142.250.201.206:443...
* Connected to google.com (142.250.201.206) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
*  start date: Jun 22 13:36:22 2021 GMT
*  expire date: Sep 14 13:36:21 2021 GMT
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55d9ce53cad0)
> HEAD / HTTP/2
> Host: google.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 301 
HTTP/2 301 
< location: https://www.google.com/
location: https://www.google.com/
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< date: Tue, 13 Jul 2021 19:13:25 GMT
date: Tue, 13 Jul 2021 19:13:25 GMT
< expires: Tue, 13 Jul 2021 19:13:25 GMT
expires: Tue, 13 Jul 2021 19:13:25 GMT
< cache-control: private, max-age=2592000
cache-control: private, max-age=2592000
< server: gws
server: gws
< content-length: 220
content-length: 220
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< set-cookie: CONSENT=PENDING+983; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
set-cookie: CONSENT=PENDING+983; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

< 
* Connection #0 to host google.com left intact
* Issue another request to this URL: 'https://www.google.com/'
*   Trying 172.217.16.100:443...
* Connected to www.google.com (172.217.16.100) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Jun 22 16:06:24 2021 GMT
*  expire date: Sep 14 16:06:23 2021 GMT
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55d9ce53cad0)
> HEAD / HTTP/2
> Host: www.google.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
HTTP/2 200 
< content-type: text/html; charset=ISO-8859-1
content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< date: Tue, 13 Jul 2021 19:13:25 GMT
date: Tue, 13 Jul 2021 19:13:25 GMT
< server: gws
server: gws
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< expires: Tue, 13 Jul 2021 19:13:25 GMT
expires: Tue, 13 Jul 2021 19:13:25 GMT
< cache-control: private
cache-control: private
< set-cookie: CONSENT=PENDING+656; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
set-cookie: CONSENT=PENDING+656; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

< 
* Connection #1 to host www.google.com left intact
curl -vvvv -I -L -k --tlsv1.2 https://google.com/ 
*   Trying 142.250.201.206:443...
* Connected to google.com (142.250.201.206) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
*  start date: Jun 22 13:36:22 2021 GMT
*  expire date: Sep 14 13:36:21 2021 GMT
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55cdd33ffad0)
> HEAD / HTTP/2
> Host: google.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 301 
HTTP/2 301 
< location: https://www.google.com/
location: https://www.google.com/
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< date: Tue, 13 Jul 2021 19:14:23 GMT
date: Tue, 13 Jul 2021 19:14:23 GMT
< expires: Tue, 13 Jul 2021 19:14:23 GMT
expires: Tue, 13 Jul 2021 19:14:23 GMT
< cache-control: private, max-age=2592000
cache-control: private, max-age=2592000
< server: gws
server: gws
< content-length: 220
content-length: 220
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< set-cookie: CONSENT=PENDING+628; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
set-cookie: CONSENT=PENDING+628; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

< 
* Connection #0 to host google.com left intact
* Issue another request to this URL: 'https://www.google.com/'
*   Trying 172.217.16.100:443...
* Connected to www.google.com (172.217.16.100) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Jun 22 16:06:24 2021 GMT
*  expire date: Sep 14 16:06:23 2021 GMT
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55cdd33ffad0)
> HEAD / HTTP/2
> Host: www.google.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
HTTP/2 200 
< content-type: text/html; charset=ISO-8859-1
content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< date: Tue, 13 Jul 2021 19:14:23 GMT
date: Tue, 13 Jul 2021 19:14:23 GMT
< server: gws
server: gws
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< expires: Tue, 13 Jul 2021 19:14:23 GMT
expires: Tue, 13 Jul 2021 19:14:23 GMT
< cache-control: private
cache-control: private
< set-cookie: CONSENT=PENDING+457; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
set-cookie: CONSENT=PENDING+457; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

< 
* Connection #1 to host www.google.com left intact
curl -vvvv -I -L -k --tlsv1.0 https://google.com/ 

*   Trying 142.250.201.206:443...
* Connected to google.com (142.250.201.206) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
*  start date: Jun 22 13:36:22 2021 GMT
*  expire date: Sep 14 13:36:21 2021 GMT
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5588479fcad0)
> HEAD / HTTP/2
> Host: google.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 301 
HTTP/2 301 
< location: https://www.google.com/
location: https://www.google.com/
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< date: Tue, 13 Jul 2021 19:14:54 GMT
date: Tue, 13 Jul 2021 19:14:54 GMT
< expires: Tue, 13 Jul 2021 19:14:54 GMT
expires: Tue, 13 Jul 2021 19:14:54 GMT
< cache-control: private, max-age=2592000
cache-control: private, max-age=2592000
< server: gws
server: gws
< content-length: 220
content-length: 220
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< set-cookie: CONSENT=PENDING+046; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
set-cookie: CONSENT=PENDING+046; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

< 
* Connection #0 to host google.com left intact
* Issue another request to this URL: 'https://www.google.com/'
*   Trying 172.217.16.100:443...
* Connected to www.google.com (172.217.16.100) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Jun 22 16:06:24 2021 GMT
*  expire date: Sep 14 16:06:23 2021 GMT
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5588479fcad0)
> HEAD / HTTP/2
> Host: www.google.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
HTTP/2 200 
< content-type: text/html; charset=ISO-8859-1
content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< date: Tue, 13 Jul 2021 19:14:54 GMT
date: Tue, 13 Jul 2021 19:14:54 GMT
< server: gws
server: gws
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< expires: Tue, 13 Jul 2021 19:14:54 GMT
expires: Tue, 13 Jul 2021 19:14:54 GMT
< cache-control: private
cache-control: private
< set-cookie: CONSENT=PENDING+294; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
set-cookie: CONSENT=PENDING+294; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

< 
* Connection #1 to host www.google.com left intact
1 Like

Although TLSv1.3 works with Google, the request to use TLSv1.0 & TLSv1.2 with LE fails to do so and is using TLSv1.3 instead.

I see TLSv1.0 in use (when specified):

curl -vvvvILk --tlsv1.0 https://acme-v02.api.letsencrypt.org/directory
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server key exchange (12):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Client hello (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / ECDHE-RSA-AES256-SHA
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v01.api.letsencrypt.org
*  start date: Jun  5 22:36:33 2021 GMT
*  expire date: Sep  3 22:36:33 2021 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e0449ad600)
> HEAD /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.58.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< server: nginx
server: nginx
< date: Tue, 13 Jul 2021 19:16:52 GMT
date: Tue, 13 Jul 2021 19:16:52 GMT
< content-type: application/json
content-type: application/json
< content-length: 658
content-length: 658
< cache-control: public, max-age=0, no-cache
cache-control: public, max-age=0, no-cache
< replay-nonce: 00029GoxsuWLjAlrUz5I33Gn1jHmNxz_Tco0-95iVpaQklc
replay-nonce: 00029GoxsuWLjAlrUz5I33Gn1jHmNxz_Tco0-95iVpaQklc
< x-frame-options: DENY
x-frame-options: DENY
< strict-transport-security: max-age=604800
strict-transport-security: max-age=604800

<
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
1 Like

I see

But when I run curl with --tls-max 1.2 option like that

curl -vvvv -I -L -k --tlsv1.2 --tls-max 1.2 https://acme-v02.api.letsencrypt.org/directory

it outputs

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

so its trying with TLSv1.2 (OUT)
or so I think :slight_smile:

2 Likes

This IP address had been blocked as DDoS mitigation. I've now unblocked it, so issuance should work now. If your server has had this IP address for a long time, then please do a thorough review of your security to make sure it's not vulnerable to being used in further attacks. Thanks!

5 Likes

Now the server connects to api without errors. This is a new IP we have for our server so apparently it has had a bad history :slight_smile:
Thanks

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.