Cert working, but hangs at Client hello

nmalcolm · April 23, 2022, 4:34pm

My domain is: mastodon.lol

I ran this command: certbot --nginx -d mastodon.lol

It produced this output: it installed successfully

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.4

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

I had an expired certificate for a long time (500+ days) but it wasn't an issue because I'm using CloudFlare. Today I had trouble with CloudFlare connecting to my server so I decided to renew my LE certificate to see if that would help.

That fixed the issue I was having, I got a new certificate with a problem, but now I'm unable to connect to any website which uses LE certificates from my server.

root@mastodon:~# curl -vv https://tech.lgbt/
*   Trying 198.199.90.37:443...
* TCP_NODELAY set
* Connected to tech.lgbt (198.199.90.37) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):


* OpenSSL SSL_connect: Connection reset by peer in connection to tech.lgbt:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to tech.lgbt:443

It's not a firewall issue. I can curl to non-LE https sites. These sites aren't blocking my server IP, I can pick any website with a LE certificate and I cannot curl/wget/anything with it.

I've tried:

dpkg-reconfigure ca-certificates

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Processing triggers for ca-certificates (20210119~20.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

updates of cacerts keystore disabled.
done.

and:

update-ca-certificates --fresh

Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
128 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

updates of cacerts keystore disabled.
done.

with no luck. I've also rebooted just to be sure.

Any help would be greatly appreciated.

rg305 · April 23, 2022, 5:33pm

Hi @nmalcolm, and welcome to the LE community forum

That is a very strange reaction for Ubuntu 20.
[which should have all the latest root certs]

Please show:
curl --version

I get:

curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

And...
What shows:
curl -Iv https://acme-v02.api.letsencrypt.org/directory

nmalcolm · April 23, 2022, 11:56pm

I woke up and the issue had resolved itself overnight. Still baffled by the entire thing but I'm glad I don't have to spend my Sunday debugging it.

Output of those commands in case it helps a future user in the same position:

curl --version:

curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

curl -Iv https://acme-v02.api.letsencrypt.org/directory:

*   Trying 172.65.32.248:443...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v01.api.letsencrypt.org
*  start date: Apr 16 16:55:15 2022 GMT
*  expire date: Jul 15 16:55:14 2022 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f5584ec8800)
> HEAD /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< server: nginx
server: nginx
< date: Sat, 23 Apr 2022 23:52:30 GMT
date: Sat, 23 Apr 2022 23:52:30 GMT
< content-type: application/json
content-type: application/json
< content-length: 658
content-length: 658
< cache-control: public, max-age=0, no-cache
cache-control: public, max-age=0, no-cache
< replay-nonce: 0002_5dys60UY_uuduPKlN0ZM0HxdEsozMDFoNWVsETe-Ik
replay-nonce: 0002_5dys60UY_uuduPKlN0ZM0HxdEsozMDFoNWVsETe-Ik
< x-frame-options: DENY
x-frame-options: DENY
< strict-transport-security: max-age=604800
strict-transport-security: max-age=604800

<
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

rg305 · April 24, 2022, 4:59am

Glad to hear that
[ghost in the machine - lol]

system · May 24, 2022, 5:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.