Can't connect to acme-v02.api.letsencrypt.org

Help
28

@CBImag This is probably not useful but does this work?

With your curl version (any 7.54.0 or later):
curl -v --tls-max 1.2 https://acme-v02.api.letsencrypt.org/directory

If you try a system with an earlier curl version
curl -v --tlsv1.2 https://acme-v02.api.letsencrypt.org/directory

NOTE: Current LE server service disruption may result in http error 503. So wait until that resolves or ignore that as it would show connect or not before the 503.

7 Likes
29

It has been down for a bit now. I believe the issue is with the service disruption. I am unable to create a cert right now either:

$ curl -v --tls-max 1.2 https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248:443...
  • TCP_NODELAY set
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=acme-v02.api.letsencrypt.org
  • start date: Nov 29 10:15:07 2021 GMT
  • expire date: Feb 27 10:15:06 2022 GMT
  • subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
  • issuer: C=US; O=Let's Encrypt; CN=R3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x7ffff6919c50)

GET /directory HTTP/2
Host: acme-v02.api.letsencrypt.org
user-agent: curl/7.68.0
accept: /

  • Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
    < HTTP/2 503
    < server: nginx
    < date: Thu, 02 Dec 2021 20:14:10 GMT
    < content-type: application/problem+json
    < content-length: 178
    < etag: "611d36ef-b2"
    <
    {
    "type": "urn:acme:error:serverInternal",
    "detail": "The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details."
    }
  • Connection #0 to host acme-v02.api.letsencrypt.org left intact
3 Likes
30

@jmillpps You're correct, your error is due to the service disruption and is a different issue than the issue described in this thread.

5 Likes
31

Hello! Thank you all for helping me :relaxed:

@rg305 here is the output

> ls -ltr /etc/ssl/certs/
total 572
lrwxrwxrwx 1 root root     48 May 14  2020  ACCVRAIZ1.pem -> /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt
lrwxrwxrwx 1 root root     55 May 14  2020  AC_RAIZ_FNMT-RCM.pem -> /usr/share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt
lrwxrwxrwx 1 root root     69 May 14  2020  Actalis_Authentication_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
lrwxrwxrwx 1 root root     61 May 14  2020  AffirmTrust_Commercial.pem -> /usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
lrwxrwxrwx 1 root root     61 May 14  2020  AffirmTrust_Networking.pem -> /usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt
lrwxrwxrwx 1 root root     58 May 14  2020  AffirmTrust_Premium.pem -> /usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt
lrwxrwxrwx 1 root root     62 May 14  2020  AffirmTrust_Premium_ECC.pem -> /usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt
lrwxrwxrwx 1 root root     55 May 14  2020  Amazon_Root_CA_1.pem -> /usr/share/ca-certificates/mozilla/Amazon_Root_CA_1.crt
lrwxrwxrwx 1 root root     55 May 14  2020  Amazon_Root_CA_2.pem -> /usr/share/ca-certificates/mozilla/Amazon_Root_CA_2.crt
lrwxrwxrwx 1 root root     55 May 14  2020  Amazon_Root_CA_3.pem -> /usr/share/ca-certificates/mozilla/Amazon_Root_CA_3.crt
lrwxrwxrwx 1 root root     55 May 14  2020  Amazon_Root_CA_4.pem -> /usr/share/ca-certificates/mozilla/Amazon_Root_CA_4.crt
lrwxrwxrwx 1 root root     60 May 14  2020  Atos_TrustedRoot_2011.pem -> /usr/share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt
lrwxrwxrwx 1 root root     96 May 14  2020  Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem -> /usr/share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
lrwxrwxrwx 1 root root     64 May 14  2020  Baltimore_CyberTrust_Root.pem -> /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
lrwxrwxrwx 1 root root     62 May 14  2020  Buypass_Class_2_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt
lrwxrwxrwx 1 root root     62 May 14  2020  Buypass_Class_3_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt
lrwxrwxrwx 1 root root     55 May 14  2020  CA_Disig_Root_R2.pem -> /usr/share/ca-certificates/mozilla/CA_Disig_Root_R2.crt
lrwxrwxrwx 1 root root     51 May 14  2020  CFCA_EV_ROOT.pem -> /usr/share/ca-certificates/mozilla/CFCA_EV_ROOT.crt
lrwxrwxrwx 1 root root     69 May 14  2020  COMODO_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_Certification_Authority.crt
lrwxrwxrwx 1 root root     73 May 14  2020  COMODO_ECC_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
lrwxrwxrwx 1 root root     73 May 14  2020  COMODO_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
lrwxrwxrwx 1 root root     47 May 14  2020  Certigna.pem -> /usr/share/ca-certificates/mozilla/Certigna.crt
lrwxrwxrwx 1 root root     64 May 14  2020  Certum_Trusted_Network_CA.pem -> /usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
lrwxrwxrwx 1 root root     66 May 14  2020  Certum_Trusted_Network_CA_2.pem -> /usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt
lrwxrwxrwx 1 root root     71 May 14  2020  Chambers_of_Commerce_Root_-_2008.pem -> /usr/share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt
lrwxrwxrwx 1 root root     63 May 14  2020  Comodo_AAA_Services_root.pem -> /usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
lrwxrwxrwx 1 root root     61 May 14  2020  Cybertrust_Global_Root.pem -> /usr/share/ca-certificates/mozilla/Cybertrust_Global_Root.crt
lrwxrwxrwx 1 root root     69 May 14  2020  D-TRUST_Root_Class_3_CA_2_2009.pem -> /usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
lrwxrwxrwx 1 root root     72 May 14  2020  D-TRUST_Root_Class_3_CA_2_EV_2009.pem -> /usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
lrwxrwxrwx 1 root root     66 May 14  2020  DigiCert_Assured_ID_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
lrwxrwxrwx 1 root root     66 May 14  2020  DigiCert_Assured_ID_Root_G2.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt
lrwxrwxrwx 1 root root     66 May 14  2020  DigiCert_Assured_ID_Root_G3.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt
lrwxrwxrwx 1 root root     62 May 14  2020  DigiCert_Global_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
lrwxrwxrwx 1 root root     62 May 14  2020  DigiCert_Global_Root_G2.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt
lrwxrwxrwx 1 root root     62 May 14  2020  DigiCert_Global_Root_G3.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G3.crt
lrwxrwxrwx 1 root root     73 May 14  2020  DigiCert_High_Assurance_EV_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
lrwxrwxrwx 1 root root     63 May 14  2020  DigiCert_Trusted_Root_G4.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt
lrwxrwxrwx 1 root root     70 May 14  2020  E-Tugra_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/E-Tugra_Certification_Authority.crt
lrwxrwxrwx 1 root root     45 May 14  2020  EC-ACC.pem -> /usr/share/ca-certificates/mozilla/EC-ACC.crt
lrwxrwxrwx 1 root root     80 May 14  2020  Entrust.net_Premium_2048_Secure_Server_CA.pem -> /usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
lrwxrwxrwx 1 root root     75 May 14  2020  Entrust_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root     81 May 14  2020  Entrust_Root_Certification_Authority_-_EC1.pem -> /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
lrwxrwxrwx 1 root root     80 May 14  2020  Entrust_Root_Certification_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt
lrwxrwxrwx 1 root root     61 May 14  2020  GDCA_TrustAUTH_R5_ROOT.pem -> /usr/share/ca-certificates/mozilla/GDCA_TrustAUTH_R5_ROOT.crt
lrwxrwxrwx 1 root root     84 May 14  2020  GeoTrust_Primary_Certification_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
lrwxrwxrwx 1 root root     66 May 14  2020  GlobalSign_ECC_Root_CA_-_R4.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
lrwxrwxrwx 1 root root     66 May 14  2020  GlobalSign_ECC_Root_CA_-_R5.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
lrwxrwxrwx 1 root root     57 May 14  2020  GlobalSign_Root_CA.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
lrwxrwxrwx 1 root root     62 May 14  2020  GlobalSign_Root_CA_-_R2.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt
lrwxrwxrwx 1 root root     62 May 14  2020  GlobalSign_Root_CA_-_R3.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
lrwxrwxrwx 1 root root     62 May 14  2020  GlobalSign_Root_CA_-_R6.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt
lrwxrwxrwx 1 root root     69 May 14  2020  Global_Chambersign_Root_-_2008.pem -> /usr/share/ca-certificates/mozilla/Global_Chambersign_Root_-_2008.crt
lrwxrwxrwx 1 root root     58 May 14  2020  Go_Daddy_Class_2_CA.pem -> /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
lrwxrwxrwx 1 root root     79 May 14  2020  Go_Daddy_Root_Certificate_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
lrwxrwxrwx 1 root root     98 May 14  2020  Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem -> /usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
lrwxrwxrwx 1 root root     94 May 14  2020  Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem -> /usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
lrwxrwxrwx 1 root root     94 May 14  2020  Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem -> /usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
lrwxrwxrwx 1 root root     62 May 14  2020  Hongkong_Post_Root_CA_1.pem -> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt
lrwxrwxrwx 1 root root     51 May 14  2020  ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
lrwxrwxrwx 1 root root     69 May 14  2020  IdenTrust_Commercial_Root_CA_1.pem -> /usr/share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt
lrwxrwxrwx 1 root root     72 May 14  2020  IdenTrust_Public_Sector_Root_CA_1.pem -> /usr/share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
lrwxrwxrwx 1 root root     49 May 14  2020  Izenpe.com.pem -> /usr/share/ca-certificates/mozilla/Izenpe.com.crt
lrwxrwxrwx 1 root root     69 May 14  2020  Microsec_e-Szigno_Root_CA_2009.pem -> /usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA_2009.crt
lrwxrwxrwx 1 root root     83 May 14  2020 'NetLock_Arany_=Class_Gold=_FƑtanĂșsĂ­tvĂĄny.pem' -> '/usr/share/ca-certificates/mozilla/NetLock_Arany_=Class_Gold=_FƑtanĂșsĂ­tvĂĄny.crt'
lrwxrwxrwx 1 root root     78 May 14  2020  Network_Solutions_Certificate_Authority.pem -> /usr/share/ca-certificates/mozilla/Network_Solutions_Certificate_Authority.crt
lrwxrwxrwx 1 root root     70 May 14  2020  OISTE_WISeKey_Global_Root_GB_CA.pem -> /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt
lrwxrwxrwx 1 root root     70 May 14  2020  OISTE_WISeKey_Global_Root_GC_CA.pem -> /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt
lrwxrwxrwx 1 root root     55 May 14  2020  QuoVadis_Root_CA.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA.crt
lrwxrwxrwx 1 root root     60 May 14  2020  QuoVadis_Root_CA_1_G3.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_1_G3.crt
lrwxrwxrwx 1 root root     57 May 14  2020  QuoVadis_Root_CA_2.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt
lrwxrwxrwx 1 root root     60 May 14  2020  QuoVadis_Root_CA_2_G3.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2_G3.crt
lrwxrwxrwx 1 root root     57 May 14  2020  QuoVadis_Root_CA_3.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3.crt
lrwxrwxrwx 1 root root     60 May 14  2020  QuoVadis_Root_CA_3_G3.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3_G3.crt
lrwxrwxrwx 1 root root     82 May 14  2020  SSL.com_EV_Root_Certification_Authority_ECC.pem -> /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt
lrwxrwxrwx 1 root root     85 May 14  2020  SSL.com_EV_Root_Certification_Authority_RSA_R2.pem -> /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
lrwxrwxrwx 1 root root     79 May 14  2020  SSL.com_Root_Certification_Authority_ECC.pem -> /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_ECC.crt
lrwxrwxrwx 1 root root     79 May 14  2020  SSL.com_Root_Certification_Authority_RSA.pem -> /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_RSA.crt
lrwxrwxrwx 1 root root     54 May 14  2020  SZAFIR_ROOT_CA2.pem -> /usr/share/ca-certificates/mozilla/SZAFIR_ROOT_CA2.crt
lrwxrwxrwx 1 root root     58 May 14  2020  SecureSign_RootCA11.pem -> /usr/share/ca-certificates/mozilla/SecureSign_RootCA11.crt
lrwxrwxrwx 1 root root     53 May 14  2020  SecureTrust_CA.pem -> /usr/share/ca-certificates/mozilla/SecureTrust_CA.crt
lrwxrwxrwx 1 root root     55 May 14  2020  Secure_Global_CA.pem -> /usr/share/ca-certificates/mozilla/Secure_Global_CA.crt
lrwxrwxrwx 1 root root     69 May 14  2020  Security_Communication_RootCA2.pem -> /usr/share/ca-certificates/mozilla/Security_Communication_RootCA2.crt
lrwxrwxrwx 1 root root     69 May 14  2020  Security_Communication_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Security_Communication_Root_CA.crt
lrwxrwxrwx 1 root root     61 May 14  2020  Sonera_Class_2_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Sonera_Class_2_Root_CA.crt
lrwxrwxrwx 1 root root     71 May 14  2020  Staat_der_Nederlanden_EV_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_EV_Root_CA.crt
lrwxrwxrwx 1 root root     73 May 14  2020  Staat_der_Nederlanden_Root_CA_-_G3.pem -> /usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt
lrwxrwxrwx 1 root root     59 May 14  2020  Starfield_Class_2_CA.pem -> /usr/share/ca-certificates/mozilla/Starfield_Class_2_CA.crt
lrwxrwxrwx 1 root root     80 May 14  2020  Starfield_Root_Certificate_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
lrwxrwxrwx 1 root root     89 May 14  2020  Starfield_Services_Root_Certificate_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
lrwxrwxrwx 1 root root     61 May 14  2020  SwissSign_Gold_CA_-_G2.pem -> /usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt
lrwxrwxrwx 1 root root     63 May 14  2020  SwissSign_Silver_CA_-_G2.pem -> /usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt
lrwxrwxrwx 1 root root     67 May 14  2020  T-TeleSec_GlobalRoot_Class_2.pem -> /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_2.crt
lrwxrwxrwx 1 root root     67 May 14  2020  T-TeleSec_GlobalRoot_Class_3.pem -> /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_3.crt
lrwxrwxrwx 1 root root     84 May 14  2020  TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem -> /usr/share/ca-certificates/mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
lrwxrwxrwx 1 root root     58 May 14  2020  TWCA_Global_Root_CA.pem -> /usr/share/ca-certificates/mozilla/TWCA_Global_Root_CA.crt
lrwxrwxrwx 1 root root     72 May 14  2020  TWCA_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root     61 May 14  2020  TeliaSonera_Root_CA_v1.pem -> /usr/share/ca-certificates/mozilla/TeliaSonera_Root_CA_v1.crt
lrwxrwxrwx 1 root root     53 May 14  2020  TrustCor_ECA-1.pem -> /usr/share/ca-certificates/mozilla/TrustCor_ECA-1.crt
lrwxrwxrwx 1 root root     61 May 14  2020  TrustCor_RootCert_CA-1.pem -> /usr/share/ca-certificates/mozilla/TrustCor_RootCert_CA-1.crt
lrwxrwxrwx 1 root root     61 May 14  2020  TrustCor_RootCert_CA-2.pem -> /usr/share/ca-certificates/mozilla/TrustCor_RootCert_CA-2.crt
lrwxrwxrwx 1 root root     58 May 14  2020  Trustis_FPS_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt
lrwxrwxrwx 1 root root     76 May 14  2020  USERTrust_ECC_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
lrwxrwxrwx 1 root root     76 May 14  2020  USERTrust_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
lrwxrwxrwx 1 root root     86 May 14  2020  VeriSign_Universal_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root     59 May 14  2020  XRamp_Global_CA_Root.pem -> /usr/share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt
lrwxrwxrwx 1 root root     55 May 14  2020  certSIGN_ROOT_CA.pem -> /usr/share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt
lrwxrwxrwx 1 root root     72 May 14  2020  ePKI_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root     19 May 14  2020  fe8a2cd8.0 -> SZAFIR_ROOT_CA2.pem
lrwxrwxrwx 1 root root     41 May 14  2020  fc5a8f99.0 -> USERTrust_RSA_Certification_Authority.pem
lrwxrwxrwx 1 root root     18 May 14  2020  f39fc864.0 -> SecureTrust_CA.pem
lrwxrwxrwx 1 root root     47 May 14  2020  f0c70a8d.0 -> SSL.com_EV_Root_Certification_Authority_ECC.pem
lrwxrwxrwx 1 root root     23 May 14  2020  f081611a.0 -> Go_Daddy_Class_2_CA.pem
lrwxrwxrwx 1 root root     38 May 14  2020  eed8c118.0 -> COMODO_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root     27 May 14  2020  e8de2f56.0 -> Buypass_Class_3_Root_CA.pem
lrwxrwxrwx 1 root root     35 May 14  2020  e73d606e.0 -> OISTE_WISeKey_Global_Root_GB_CA.pem
lrwxrwxrwx 1 root root     25 May 14  2020  e36a6752.0 -> Atos_TrustedRoot_2011.pem
lrwxrwxrwx 1 root root     25 May 14  2020  e18bfb83.0 -> QuoVadis_Root_CA_3_G3.pem
lrwxrwxrwx 1 root root     12 May 14  2020  e113c810.0 -> Certigna.pem
lrwxrwxrwx 1 root root     20 May 14  2020  de6d66f3.0 -> Amazon_Root_CA_4.pem
lrwxrwxrwx 1 root root     27 May 14  2020  dd8e9d41.0 -> DigiCert_Global_Root_G3.pem
lrwxrwxrwx 1 root root     23 May 14  2020  d853d49e.0 -> Trustis_FPS_Root_CA.pem
lrwxrwxrwx 1 root root     38 May 14  2020  d6325660.0 -> COMODO_RSA_Certification_Authority.pem
lrwxrwxrwx 1 root root     37 May 14  2020  d4dae3dd.0 -> D-TRUST_Root_Class_3_CA_2_EV_2009.pem
lrwxrwxrwx 1 root root     20 May 14  2020  ce5e74ef.0 -> Amazon_Root_CA_1.pem
lrwxrwxrwx 1 root root     20 May 14  2020  cd8c0d63.0 -> AC_RAIZ_FNMT-RCM.pem
lrwxrwxrwx 1 root root     44 May 14  2020  cbf06781.0 -> Go_Daddy_Root_Certificate_Authority_-_G2.pem
lrwxrwxrwx 1 root root     37 May 14  2020  ca6e4ad9.0 -> ePKI_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root     34 May 14  2020  c28a8a30.0 -> D-TRUST_Root_Class_3_CA_2_2009.pem
lrwxrwxrwx 1 root root     51 May 14  2020  c01cdfa2.0 -> VeriSign_Universal_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root     37 May 14  2020  b7a5b843.0 -> TWCA_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root     20 May 14  2020  b66938e9.0 -> Secure_Global_CA.pem
lrwxrwxrwx 1 root root     31 May 14  2020  b1159c4c.0 -> DigiCert_Assured_ID_Root_CA.pem
lrwxrwxrwx 1 root root     31 May 14  2020  b0e59380.0 -> GlobalSign_ECC_Root_CA_-_R4.pem
lrwxrwxrwx 1 root root     45 May 14  2020  aee5f10d.0 -> Entrust.net_Premium_2048_Secure_Server_CA.pem
lrwxrwxrwx 1 root root     13 May 14  2020  a94d09e5.0 -> ACCVRAIZ1.pem
lrwxrwxrwx 1 root root     26 May 14  2020  9c2e7d30.0 -> Sonera_Class_2_Root_CA.pem
lrwxrwxrwx 1 root root     48 May 14  2020  988a38cb.0 -> 'NetLock_Arany_=Class_Gold=_FƑtanĂșsĂ­tvĂĄny.pem'
lrwxrwxrwx 1 root root     34 May 14  2020  930ac5d2.0 -> Actalis_Authentication_Root_CA.pem
lrwxrwxrwx 1 root root     20 May 14  2020  8cb5ee0f.0 -> Amazon_Root_CA_3.pem
lrwxrwxrwx 1 root root     31 May 14  2020  7f3d5d1d.0 -> DigiCert_Assured_ID_Root_G3.pem
lrwxrwxrwx 1 root root     18 May 14  2020  7aaf71c0.0 -> TrustCor_ECA-1.pem
lrwxrwxrwx 1 root root     35 May 14  2020  773e07ad.0 -> OISTE_WISeKey_Global_Root_GC_CA.pem
lrwxrwxrwx 1 root root     63 May 14  2020  7719f463.0 -> Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
lrwxrwxrwx 1 root root     22 May 14  2020  76faf6c0.0 -> QuoVadis_Root_CA_3.pem
lrwxrwxrwx 1 root root     26 May 14  2020  76cb8f92.0 -> Cybertrust_Global_Root.pem
lrwxrwxrwx 1 root root     25 May 14  2020  749e9e03.0 -> QuoVadis_Root_CA_1_G3.pem
lrwxrwxrwx 1 root root     20 May 14  2020  6d41d539.0 -> Amazon_Root_CA_2.pem
lrwxrwxrwx 1 root root     27 May 14  2020  607986c7.0 -> DigiCert_Global_Root_G2.pem
lrwxrwxrwx 1 root root     26 May 14  2020  5d3033c5.0 -> TrustCor_RootCert_CA-1.pem
lrwxrwxrwx 1 root root     26 May 14  2020  5cd81ad7.0 -> TeliaSonera_Root_CA_v1.pem
lrwxrwxrwx 1 root root     38 May 14  2020  5a4d6896.0 -> Staat_der_Nederlanden_Root_CA_-_G3.pem
lrwxrwxrwx 1 root root     28 May 14  2020  57bcb2da.0 -> SwissSign_Silver_CA_-_G2.pem
lrwxrwxrwx 1 root root     27 May 14  2020  54657681.0 -> Buypass_Class_2_Root_CA.pem
lrwxrwxrwx 1 root root     26 May 14  2020  4f316efb.0 -> SwissSign_Gold_CA_-_G2.pem
lrwxrwxrwx 1 root root     45 May 14  2020  4bfab552.0 -> Starfield_Root_Certificate_Authority_-_G2.pem
lrwxrwxrwx 1 root root     27 May 14  2020  4a6481c9.0 -> GlobalSign_Root_CA_-_R2.pem
lrwxrwxrwx 1 root root     34 May 14  2020  40547a79.0 -> COMODO_Certification_Authority.pem
lrwxrwxrwx 1 root root     16 May 14  2020  4042bcee.0 -> ISRG_Root_X1.pem
lrwxrwxrwx 1 root root     31 May 14  2020  40193066.0 -> Certum_Trusted_Network_CA_2.pem
lrwxrwxrwx 1 root root     26 May 14  2020  3e44d2f7.0 -> TrustCor_RootCert_CA-2.pem
lrwxrwxrwx 1 root root     61 May 14  2020  3bde41ac.0 -> Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
lrwxrwxrwx 1 root root     10 May 14  2020  349f2832.0 -> EC-ACC.pem
lrwxrwxrwx 1 root root     59 May 14  2020  32888f65.0 -> Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
lrwxrwxrwx 1 root root     38 May 14  2020  244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem
lrwxrwxrwx 1 root root     32 May 14  2020  1e09d511.0 -> T-TeleSec_GlobalRoot_Class_2.pem
lrwxrwxrwx 1 root root     31 May 14  2020  1d3472b9.0 -> GlobalSign_ECC_Root_CA_-_R5.pem
lrwxrwxrwx 1 root root     59 May 14  2020  1636090b.0 -> Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
lrwxrwxrwx 1 root root     46 May 14  2020  106f3e4d.0 -> Entrust_Root_Certification_Authority_-_EC1.pem
lrwxrwxrwx 1 root root     26 May 14  2020  0f6fa695.0 -> GDCA_TrustAUTH_R5_ROOT.pem
lrwxrwxrwx 1 root root     34 May 14  2020  0c4c9b6c.0 -> Global_Chambersign_Root_-_2008.pem
lrwxrwxrwx 1 root root     16 May 14  2020  0b1b94ef.0 -> CFCA_EV_ROOT.pem
lrwxrwxrwx 1 root root     54 May 14  2020  09789157.0 -> Starfield_Services_Root_Certificate_Authority_-_G2.pem
lrwxrwxrwx 1 root root     50 May 14  2020  06dc52d5.0 -> SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
lrwxrwxrwx 1 root root     27 May 14  2020  062cdee6.0 -> GlobalSign_Root_CA_-_R3.pem
lrwxrwxrwx 1 root root     49 May 14  2020  ff34af3f.0 -> TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
lrwxrwxrwx 1 root root     24 May 14  2020  f387163d.0 -> Starfield_Class_2_CA.pem
lrwxrwxrwx 1 root root     34 May 14  2020  f3377b1b.0 -> Security_Communication_Root_CA.pem
lrwxrwxrwx 1 root root     41 May 14  2020  f30dd6ad.0 -> USERTrust_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root     34 May 14  2020  ef954a4e.0 -> IdenTrust_Commercial_Root_CA_1.pem
lrwxrwxrwx 1 root root     28 May 14  2020  ee64a828.0 -> Comodo_AAA_Services_root.pem
lrwxrwxrwx 1 root root     27 May 14  2020  dc4d6a89.0 -> GlobalSign_Root_CA_-_R6.pem
lrwxrwxrwx 1 root root     22 May 14  2020  d7e8dc79.0 -> QuoVadis_Root_CA_2.pem
lrwxrwxrwx 1 root root     34 May 14  2020  cd58d51e.0 -> Security_Communication_RootCA2.pem
lrwxrwxrwx 1 root root     14 May 14  2020  cc450945.0 -> Izenpe.com.pem
lrwxrwxrwx 1 root root     36 May 14  2020  c47d9980.0 -> Chambers_of_Commerce_Root_-_2008.pem
lrwxrwxrwx 1 root root     23 May 14  2020  b727005e.0 -> AffirmTrust_Premium.pem
lrwxrwxrwx 1 root root     31 May 14  2020  9d04f354.0 -> DigiCert_Assured_ID_Root_G2.pem
lrwxrwxrwx 1 root root     27 May 14  2020  9c8dfbd4.0 -> AffirmTrust_Premium_ECC.pem
lrwxrwxrwx 1 root root     26 May 14  2020  93bc0acc.0 -> AffirmTrust_Networking.pem
lrwxrwxrwx 1 root root     20 May 14  2020  8d86cdd1.0 -> certSIGN_ROOT_CA.pem
lrwxrwxrwx 1 root root     34 May 14  2020  8160b96c.0 -> Microsec_e-Szigno_Root_CA_2009.pem
lrwxrwxrwx 1 root root     28 May 14  2020  75d1b2ed.0 -> DigiCert_Trusted_Root_G4.pem
lrwxrwxrwx 1 root root     24 May 14  2020  706f604c.0 -> XRamp_Global_CA_Root.pem
lrwxrwxrwx 1 root root     44 May 14  2020  6fa5da56.0 -> SSL.com_Root_Certification_Authority_RSA.pem
lrwxrwxrwx 1 root root     40 May 14  2020  6b99d060.0 -> Entrust_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root     29 May 14  2020  653b494a.0 -> Baltimore_CyberTrust_Root.pem
lrwxrwxrwx 1 root root     23 May 14  2020  5f15c80c.0 -> TWCA_Global_Root_CA.pem
lrwxrwxrwx 1 root root     22 May 14  2020  5ad8a5d6.0 -> GlobalSign_Root_CA.pem
lrwxrwxrwx 1 root root     32 May 14  2020  5443e9e3.0 -> T-TeleSec_GlobalRoot_Class_3.pem
lrwxrwxrwx 1 root root     35 May 14  2020  5273a94c.0 -> E-Tugra_Certification_Authority.pem
lrwxrwxrwx 1 root root     29 May 14  2020  48bec511.0 -> Certum_Trusted_Network_CA.pem
lrwxrwxrwx 1 root root     43 May 14  2020  4304c5e5.0 -> Network_Solutions_Certificate_Authority.pem
lrwxrwxrwx 1 root root     27 May 14  2020  3e45d192.0 -> Hongkong_Post_Root_CA_1.pem
lrwxrwxrwx 1 root root     27 May 14  2020  3513523f.0 -> DigiCert_Global_Root_CA.pem
lrwxrwxrwx 1 root root     26 May 14  2020  2b349938.0 -> AffirmTrust_Commercial.pem
lrwxrwxrwx 1 root root     20 May 14  2020  2ae6433e.0 -> CA_Disig_Root_R2.pem
lrwxrwxrwx 1 root root     37 May 14  2020  1e08bfd1.0 -> IdenTrust_Public_Sector_Root_CA_1.pem
lrwxrwxrwx 1 root root     23 May 14  2020  18856ac4.0 -> SecureSign_RootCA11.pem
lrwxrwxrwx 1 root root     49 May 14  2020  116bf586.0 -> GeoTrust_Primary_Certification_Authority_-_G2.pem
lrwxrwxrwx 1 root root     44 May 14  2020  0bf05006.0 -> SSL.com_Root_Certification_Authority_ECC.pem
lrwxrwxrwx 1 root root     20 May 14  2020  080911ac.0 -> QuoVadis_Root_CA.pem
lrwxrwxrwx 1 root root     25 May 14  2020  064e0aa9.0 -> QuoVadis_Root_CA_2_G3.pem
lrwxrwxrwx 1 root root     36 May 14  2020  03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem
lrwxrwxrwx 1 root root     45 May 14  2020  02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem
-rw-r--r-- 1 root root   1188 Aug 13  2020  ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root     21 Aug 13  2020  d41a8ecc -> ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root     55 Jun 16 07:02  Certigna_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Certigna_Root_CA.crt
lrwxrwxrwx 1 root root     80 Jun 16 07:02  Entrust_Root_Certification_Authority_-_G4.pem -> /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G4.crt
lrwxrwxrwx 1 root root     50 Jun 16 07:02  GTS_Root_R1.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R1.crt
lrwxrwxrwx 1 root root     50 Jun 16 07:02  GTS_Root_R2.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R2.crt
lrwxrwxrwx 1 root root     50 Jun 16 07:02  GTS_Root_R3.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R3.crt
lrwxrwxrwx 1 root root     50 Jun 16 07:02  GTS_Root_R4.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R4.crt
lrwxrwxrwx 1 root root     62 Jun 16 07:02  Hongkong_Post_Root_CA_3.pem -> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt
lrwxrwxrwx 1 root root     84 Jun 16 07:02  Microsoft_RSA_Root_Certificate_Authority_2017.pem -> /usr/share/ca-certificates/mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt
lrwxrwxrwx 1 root root     84 Jun 16 07:02  Microsoft_ECC_Root_Certificate_Authority_2017.pem -> /usr/share/ca-certificates/mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt
lrwxrwxrwx 1 root root     80 Jun 16 07:02  NAVER_Global_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/NAVER_Global_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root     79 Jun 16 07:02  Trustwave_Global_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Trustwave_Global_Certification_Authority.crt
lrwxrwxrwx 1 root root     88 Jun 16 07:02  Trustwave_Global_ECC_P256_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt
lrwxrwxrwx 1 root root     88 Jun 16 07:02  Trustwave_Global_ECC_P384_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt
lrwxrwxrwx 1 root root     67 Jun 16 07:02  UCA_Extended_Validation_Root.pem -> /usr/share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt
lrwxrwxrwx 1 root root     57 Jun 16 07:02  UCA_Global_G2_Root.pem -> /usr/share/ca-certificates/mozilla/UCA_Global_G2_Root.crt
lrwxrwxrwx 1 root root     58 Jun 16 07:02  certSIGN_Root_CA_G2.pem -> /usr/share/ca-certificates/mozilla/certSIGN_Root_CA_G2.crt
lrwxrwxrwx 1 root root     60 Jun 16 07:02  e-Szigno_Root_CA_2017.pem -> /usr/share/ca-certificates/mozilla/e-Szigno_Root_CA_2017.crt
lrwxrwxrwx 1 root root     62 Jun 16 07:02  emSign_ECC_Root_CA_-_C3.pem -> /usr/share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_C3.crt
lrwxrwxrwx 1 root root     62 Jun 16 07:02  emSign_ECC_Root_CA_-_G3.pem -> /usr/share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_G3.crt
lrwxrwxrwx 1 root root     58 Jun 16 07:02  emSign_Root_CA_-_C1.pem -> /usr/share/ca-certificates/mozilla/emSign_Root_CA_-_C1.crt
lrwxrwxrwx 1 root root     58 Jun 16 07:02  emSign_Root_CA_-_G1.pem -> /usr/share/ca-certificates/mozilla/emSign_Root_CA_-_G1.crt
lrwxrwxrwx 1 root root     20 Jun 16 07:02  f51bb24c.0 -> Certigna_Root_CA.pem
lrwxrwxrwx 1 root root     44 Jun 16 07:02  f249de83.0 -> Trustwave_Global_Certification_Authority.pem
lrwxrwxrwx 1 root root     25 Jun 16 07:02  e868b802.0 -> e-Szigno_Root_CA_2017.pem
lrwxrwxrwx 1 root root     53 Jun 16 07:02  d887a5bb.0 -> Trustwave_Global_ECC_P384_Certification_Authority.pem
lrwxrwxrwx 1 root root     21 Jun 16 07:02  d41a8ecc.0 -> ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root     22 Jun 16 07:02  c01eb047.0 -> UCA_Global_G2_Root.pem
lrwxrwxrwx 1 root root     49 Jun 16 07:02  bf53fb88.0 -> Microsoft_RSA_Root_Certificate_Authority_2017.pem
lrwxrwxrwx 1 root root     15 Jun 16 07:02  a3418fda.0 -> GTS_Root_R4.pem
lrwxrwxrwx 1 root root     53 Jun 16 07:02  9b5697b0.0 -> Trustwave_Global_ECC_P256_Certification_Authority.pem
lrwxrwxrwx 1 root root     49 Jun 16 07:02  8d89cda1.0 -> Microsoft_ECC_Root_Certificate_Authority_2017.pem
lrwxrwxrwx 1 root root     27 Jun 16 07:02  68dd7389.0 -> Hongkong_Post_Root_CA_3.pem
lrwxrwxrwx 1 root root     15 Jun 16 07:02  626dceaf.0 -> GTS_Root_R2.pem
lrwxrwxrwx 1 root root     23 Jun 16 07:02  5f618aec.0 -> certSIGN_Root_CA_G2.pem
lrwxrwxrwx 1 root root     45 Jun 16 07:02  5e98733a.0 -> Entrust_Root_Certification_Authority_-_G4.pem
lrwxrwxrwx 1 root root     27 Jun 16 07:02  4b718d9b.0 -> emSign_ECC_Root_CA_-_C3.pem
lrwxrwxrwx 1 root root     23 Jun 16 07:02  406c9bb1.0 -> emSign_Root_CA_-_C1.pem
lrwxrwxrwx 1 root root     45 Jun 16 07:02  3fb36b73.0 -> NAVER_Global_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root     23 Jun 16 07:02  2923b3f9.0 -> emSign_Root_CA_-_G1.pem
lrwxrwxrwx 1 root root     27 Jun 16 07:02  14bc7599.0 -> emSign_ECC_Root_CA_-_G3.pem
lrwxrwxrwx 1 root root     15 Jun 16 07:02  1001acf7.0 -> GTS_Root_R1.pem
lrwxrwxrwx 1 root root     32 Jun 16 07:02  0f5dc4f3.0 -> UCA_Extended_Validation_Root.pem
lrwxrwxrwx 1 root root     15 Jun 16 07:02  0a775a30.0 -> GTS_Root_R3.pem
-rw-r--r-- 1 root root 199113 Nov 29 10:14  ca-certificates.crt

@MikeMcQ it didn't work either forcing tls1.2 :cry: but it was worth trying

> curl -v --tls-max 1.2 https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
5 Likes
32

Please show:
cat /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

5 Likes
33 
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
3 Likes
34

That is the right cert.

5 Likes
35

I don't know if you could double check if something changed on your side about our ip @lestaff :cry: All tests I did these past days indicate that it should work, digitalocean staff didn't found anything wrong either, and I'm a bit lost right now :persevere:

2 Likes
36

Are you able to do packet capture?

5 Likes
37

Hello @bruncsak, thanks for the suggestion :grin: I've just used "tcpdump -vv host acme-v02.api.letsencrypt.org" on both original and cloned servers and then did a "curl acme-v02.api.letsencrypt.org", here are the outputs;

Original server:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:13:49.692371 IP (tos 0x0, ttl 64, id 49749, offset 0, flags [DF], proto TCP (6), length 60)
    188.166.113.247.49034 > 172.65.32.248.https: Flags [S], cksum 0xfc05 (incorrect -> 0x7978), seq 1356539402, win 64240, options [mss 1460,sackOK,TS val 2516191642 ecr 0,nop,wscale 7], length 0
12:13:49.694315 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.65.32.248.https > 188.166.113.247.49034: Flags [S.], cksum 0x38f9 (correct), seq 1936821964, ack 1356539403, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
12:13:49.694354 IP (tos 0x0, ttl 64, id 49750, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.113.247.49034 > 172.65.32.248.https: Flags [.], cksum 0xfbf1 (incorrect -> 0x779c), seq 1, ack 1, win 502, length 0
12:13:49.696497 IP (tos 0x0, ttl 60, id 55356, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.113.247.49034: Flags [F.], cksum 0x7951 (correct), seq 1, ack 1, win 64, length 0
12:13:49.698309 IP (tos 0x0, ttl 64, id 49751, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.113.247.49034 > 172.65.32.248.https: Flags [.], cksum 0xfbf1 (incorrect -> 0x779b), seq 1, ack 2, win 502, length 0
12:13:49.701277 IP (tos 0x0, ttl 64, id 49752, offset 0, flags [DF], proto TCP (6), length 557)
    188.166.113.247.49034 > 172.65.32.248.https: Flags [P.], cksum 0xfdf6 (incorrect -> 0x82c3), seq 1:518, ack 2, win 502, length 517
12:13:49.701773 IP (tos 0x0, ttl 64, id 49753, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.113.247.49034 > 172.65.32.248.https: Flags [F.], cksum 0xfbf1 (incorrect -> 0x7595), seq 518, ack 2, win 502, length 0
12:13:49.702382 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.113.247.49034: Flags [R], cksum 0xf083 (correct), seq 1936821966, win 0, length 0
12:13:49.702826 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.113.247.49034: Flags [R], cksum 0xf083 (correct), seq 1936821966, win 0, length 0

Cloned server:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:16:06.653142 IP (tos 0x0, ttl 64, id 1237, offset 0, flags [DF], proto TCP (6), length 60)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [S], cksum 0xc0a0 (incorrect -> 0x761b), seq 699931892, win 64240, options [mss 1460,sackOK,TS val 1643363034 ecr 0,nop,wscale 7], length 0
12:16:06.655259 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.65.32.248.https > 188.166.54.146.45388: Flags [S.], cksum 0x6ca9 (correct), seq 1989136858, ack 699931893, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
12:16:06.655300 IP (tos 0x0, ttl 64, id 1238, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [.], cksum 0xc08c (incorrect -> 0xab4c), seq 1, ack 1, win 502, length 0
12:16:06.663127 IP (tos 0x0, ttl 64, id 1239, offset 0, flags [DF], proto TCP (6), length 557)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [P.], cksum 0xc291 (incorrect -> 0x99fd), seq 1:518, ack 1, win 502, length 517
12:16:06.664308 IP (tos 0x0, ttl 60, id 58976, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [.], cksum 0xaafb (correct), seq 1, ack 518, win 66, length 0
12:16:06.899279 IP (tos 0x0, ttl 60, id 58977, offset 0, flags [DF], proto TCP (6), length 2088)
    172.65.32.248.https > 188.166.54.146.45388: Flags [P.], cksum 0xc88c (incorrect -> 0x5865), seq 1:2049, ack 518, win 66, length 2048
12:16:06.899279 IP (tos 0x0, ttl 60, id 58979, offset 0, flags [DF], proto TCP (6), length 1382)
    172.65.32.248.https > 188.166.54.146.45388: Flags [P.], cksum 0x3fe3 (correct), seq 2049:3391, ack 518, win 66, length 1342
12:16:06.899326 IP (tos 0x0, ttl 64, id 1240, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [.], cksum 0xc08c (incorrect -> 0xa14c), seq 518, ack 2049, win 497, length 0
12:16:06.899340 IP (tos 0x0, ttl 64, id 1241, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [.], cksum 0xc08c (incorrect -> 0x9c14), seq 518, ack 3391, win 491, length 0
12:16:06.900146 IP (tos 0x0, ttl 64, id 1242, offset 0, flags [DF], proto TCP (6), length 120)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [P.], cksum 0xc0dc (incorrect -> 0xb82d), seq 518:598, ack 3391, win 501, length 80
12:16:06.900286 IP (tos 0x0, ttl 64, id 1243, offset 0, flags [DF], proto TCP (6), length 86)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [P.], cksum 0xc0ba (incorrect -> 0x10db), seq 598:644, ack 3391, win 501, length 46
12:16:06.900330 IP (tos 0x0, ttl 64, id 1244, offset 0, flags [DF], proto TCP (6), length 89)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [P.], cksum 0xc0bd (incorrect -> 0xdac2), seq 644:693, ack 3391, win 501, length 49
12:16:06.900372 IP (tos 0x0, ttl 64, id 1245, offset 0, flags [DF], proto TCP (6), length 75)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [P.], cksum 0xc0af (incorrect -> 0x357e), seq 693:728, ack 3391, win 501, length 35
12:16:06.900428 IP (tos 0x0, ttl 64, id 1246, offset 0, flags [DF], proto TCP (6), length 111)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [P.], cksum 0xc0d3 (incorrect -> 0x1bf4), seq 728:799, ack 3391, win 501, length 71
12:16:06.901272 IP (tos 0x0, ttl 60, id 58980, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [.], cksum 0x9d6d (correct), seq 3391, ack 598, win 66, length 0
12:16:06.901377 IP (tos 0x0, ttl 60, id 58981, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [.], cksum 0x9d3f (correct), seq 3391, ack 644, win 66, length 0
12:16:06.901464 IP (tos 0x0, ttl 60, id 58982, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [.], cksum 0x9d0e (correct), seq 3391, ack 693, win 66, length 0
12:16:06.901464 IP (tos 0x0, ttl 60, id 58983, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [.], cksum 0x9ceb (correct), seq 3391, ack 728, win 66, length 0
12:16:06.901535 IP (tos 0x0, ttl 60, id 58984, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [.], cksum 0x9ca4 (correct), seq 3391, ack 799, win 66, length 0
12:16:07.017679 IP (tos 0x0, ttl 60, id 58985, offset 0, flags [DF], proto TCP (6), length 119)
    172.65.32.248.https > 188.166.54.146.45388: Flags [P.], cksum 0x2845 (correct), seq 3391:3470, ack 799, win 66, length 79
12:16:07.017720 IP (tos 0x0, ttl 64, id 1247, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [.], cksum 0xc08c (incorrect -> 0x9aa2), seq 799, ack 3470, win 501, length 0
12:16:07.017903 IP (tos 0x0, ttl 60, id 58986, offset 0, flags [DF], proto TCP (6), length 181)
    172.65.32.248.https > 188.166.54.146.45388: Flags [P.], cksum 0x20cd (correct), seq 3470:3611, ack 799, win 66, length 141
12:16:07.017903 IP (tos 0x0, ttl 60, id 58987, offset 0, flags [DF], proto TCP (6), length 216)
    172.65.32.248.https > 188.166.54.146.45388: Flags [P.], cksum 0x2ca2 (correct), seq 3611:3787, ack 799, win 66, length 176
12:16:07.017916 IP (tos 0x0, ttl 64, id 1248, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [.], cksum 0xc08c (incorrect -> 0x9a15), seq 799, ack 3611, win 501, length 0
12:16:07.017924 IP (tos 0x0, ttl 64, id 1249, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [.], cksum 0xc08c (incorrect -> 0x9966), seq 799, ack 3787, win 500, length 0
12:16:07.018019 IP (tos 0x0, ttl 64, id 1250, offset 0, flags [DF], proto TCP (6), length 71)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [P.], cksum 0xc0ab (incorrect -> 0xd3c0), seq 799:830, ack 3787, win 500, length 31
12:16:07.018159 IP (tos 0x0, ttl 60, id 58988, offset 0, flags [DF], proto TCP (6), length 2245)
    172.65.32.248.https > 188.166.54.146.45388: Flags [P.], cksum 0xc929 (incorrect -> 0xd9e9), seq 3787:5992, ack 799, win 66, length 2205
12:16:07.018169 IP (tos 0x0, ttl 64, id 1251, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [.], cksum 0xc08c (incorrect -> 0x90ad), seq 830, ack 5992, win 497, length 0
12:16:07.018324 IP (tos 0x0, ttl 64, id 1252, offset 0, flags [DF], proto TCP (6), length 64)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [P.], cksum 0xc0a4 (incorrect -> 0xe933), seq 830:854, ack 5992, win 501, length 24
12:16:07.019008 IP (tos 0x0, ttl 64, id 1253, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [F.], cksum 0xc08c (incorrect -> 0x9090), seq 854, ack 5992, win 501, length 0
12:16:07.019138 IP (tos 0x0, ttl 60, id 58990, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [.], cksum 0x925c (correct), seq 5992, ack 830, win 66, length 0
12:16:07.019445 IP (tos 0x0, ttl 60, id 58991, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [.], cksum 0x9244 (correct), seq 5992, ack 854, win 66, length 0
12:16:07.060363 IP (tos 0x0, ttl 60, id 58992, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [.], cksum 0x9243 (correct), seq 5992, ack 855, win 66, length 0
12:16:07.135904 IP (tos 0x0, ttl 60, id 58993, offset 0, flags [DF], proto TCP (6), length 40)
    172.65.32.248.https > 188.166.54.146.45388: Flags [F.], cksum 0x9242 (correct), seq 5992, ack 855, win 66, length 0
12:16:07.135953 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    188.166.54.146.45388 > 172.65.32.248.https: Flags [.], cksum 0x908f (correct), seq 855, ack 5993, win 501, length 0
3 Likes
38

I'm sorry this problem continues. I can check again, but nothing should be changed on our side. Please DM any IPs that are having problems including IPv6.

6 Likes
39

Well, there was a happy plot twist :grin: . I've just checked again before sending the DM and now it is working :partying_face: I haven't touched the server since this morning so it seems that whatever was avoiding the connection, it was temporary.

Thank you all for your help and your suggestions this week :relaxed: @rg305 @jillian @bruncsak @JimPas @MikeMcQ You saved me from insanity :smiley:

Regards!

7 Likes
40

Hi there! We unfortunately started seeing what appears to be the same problem as CBImag was hitting, starting at 2021-12-03T20:05:21.264492Z, ramping up pretty sharply from there, and still ongoing. Our connections to acme-v02.api.letsencrypt.org are immediately getting closed, before starting the TLS handshake. Works fine from an identical setup running in a different VPC, so we suspect it's some IP-based filtering/blocking going on?

~ $ openssl version                                                            
OpenSSL 1.1.1f  31 Mar 2020
~ $ openssl s_client -connect acme-v02.api.letsencrypt.org:443 \                                     
> -servername acme-v02.api.letsencrypt.org -debug
CONNECTED(00000003)
write to 0x55c149122b90 [0x55c149132f10] (320 bytes => 320 (0x140))
0000 - 16 03 01 01 3b 01 00 01-37 03 03 83 17 2a 8a 0a   ....;...7....*..
0010 - 68 b4 36 11 c8 10 81 ae-4d 81 92 9f a7 f6 ec 3a   h.6.....M......:
0020 - d7 b5 d6 5a 98 1e 46 ff-5d c4 5b 20 b3 f6 3f 7d   ...Z..F.].[ ..?}
0030 - ec 2a 94 dd 48 5e 97 ac-96 e2 78 fa 53 6d 66 cb   .*..H^....x.Smf.
0040 - 31 79 3b ca 37 e1 4a e6-aa 40 7d 14 00 3e 13 02   1y;.7.J..@}..>..
0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa   .....,.0........
0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27   .+./...$.(.k.#.'
0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d   .g.....9.....3..
0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 b0   ...=.<.5./......
0090 - 00 00 00 21 00 1f 00 00-1c 61 63 6d 65 2d 76 30   ...!.....acme-v0
00a0 - 32 2e 61 70 69 2e 6c 65-74 73 65 6e 63 72 79 70   2.api.letsencryp
00b0 - 74 2e 6f 72 67 00 0b 00-04 03 00 01 02 00 0a 00   t.org...........
00c0 - 0c 00 0a 00 1d 00 17 00-1e 00 19 00 18 00 23 00   ..............#.
00d0 - 00 00 16 00 00 00 17 00-00 00 0d 00 2a 00 28 04   ............*.(.
00e0 - 03 05 03 06 03 08 07 08-08 08 09 08 0a 08 0b 08   ................
00f0 - 04 08 05 08 06 04 01 05-01 06 01 03 03 03 01 03   ................
0100 - 02 04 02 05 02 06 02 00-2b 00 05 04 03 04 03 03   ........+.......
0110 - 00 2d 00 02 01 01 00 33-00 26 00 24 00 1d 00 20   .-.....3.&.$... 
0120 - e7 07 d7 bc 25 97 f1 5b-62 be ed 84 95 bd d9 f4   ....%..[b.......
0130 - b2 30 b3 76 86 e4 00 2e-6b 19 1e f1 24 d0 31 6f   .0.v....k...$.1o
read from 0x55c149122b90 [0x55c149129c73] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x55c149122b90 [0x55c149117f60] (8192 bytes => 0 (0x0))

Public IPs for the impacted VPC's NAT gateways:

34.193.80.114
34.193.80.31
34.193.31.190
34.193.80.117

Anything we can do to get these IPs unblocked? Thanks!

2 Likes
41

Please show the outputs of:

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
echo | openssl s_client -connect google.com:443 | head

[while we wait for the IPs to be unblocked]

5 Likes
42

Thanks for taking a look!

~ $ echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
write:errno=104
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
~ $ echo | openssl s_client -connect google.com:443 | head                     
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.google.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
DONE
3 Likes
43

That seems to confirm the IP block.

5 Likes
44

Hi, @david-at-heroku,

We had blocked two of these IPs; I've unblocked them for you. We were observing many, frequent, persistent attempts to validate hostnames that were always failing validation.

7 Likes
45

Thank you! I can confirm that things are working for us again now, and really appreciate the quick response!

The system in question generates certificates for apps hosted on Heroku. We certainly have a number of customers who attach a custom domain to their app without actually setting the DNS entries for that domain up correctly to point at us. The system does a number of pre-flight validations to try to confirm that everything looks good before it calls LetsEncrypt, sounds like maybe something is/was slipping through that filter? We'll dig into the logs on our side and see if we can find anything.

8 Likes
46

Hi,
I post on this topic because I think we have also our public IP blocked when we try re-new certificate : like @david-at-heroku , the return of my command

openssl s_client -connect acme-v02.api.letsencrypt.org:443

is

write:errno=104
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported

@JamesLE please can you check if this IP is blocked and unlock it if needed :

54.36.114.229

Thanks a lot.

4 Likes
47

Yes, this IP had been blocked because of many, repeated requests that were always failing validation. I've now unblocked it.

5 Likes