Certificate request : connection reset in IPv4

emericv · February 14, 2022, 3:37pm

Hello!

My Trarfik reverse proxy cannot perform any certificate requests since one day with error like:

Unable to obtain ACME certificate for domains \"xxxxxxxx\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": read tcp 192.168.250.6:48558->172.65.32.248:443: read: connection reset by peer

When I try a request with curl :

# curl -4 -vvv https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

This problem occurs only in IPv4

with IPv6, on the same host and the same shell, it'OK:

# curl -6 https://acme-v02.api.letsencrypt.org/directory
{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "oa_sInefpb4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

Is my IPv4 217.79.184.103 is blocked?

Thanks for your help,
Emeric

emericv · February 14, 2022, 3:51pm

I have found the same problem here Openssl connect error, write:error=104
but no solution

Osiris · February 14, 2022, 4:42pm

I'm not sure if these errors are typical for a blocked IP address, but I think it's a good idea to check it anyway, just to be sure. @lestaff: could you please check this IP address for the block list? Thanks!

emericv · February 14, 2022, 4:52pm

Ok, related to this issue, Traefik try to renew outdated certificates (on no longer valid domain names) and may cause this issue?

I had cleaned the Traefik certificate store from outdated certificate manually.

emericv · February 14, 2022, 5:32pm

According to this thread/comment, My IP may be blocked as DDoS mitigation...

Osiris · February 14, 2022, 5:42pm

That thread indeed also has the "SSL_ERROR_SYSCALL" error mentioned. Let's just wait from the LE staff to check if your IP is indeed blocked or not.

Did you acquire that IP address recently? Or is it in use by your hosts longer already?

JamesLE · February 14, 2022, 5:56pm

Yes, that IP address was blocked; I've just unblocked it for you.

emericv · February 14, 2022, 6:14pm

This IP had been acquired since one month ago approximately...

emericv · February 14, 2022, 6:15pm

Thanks

Osiris · February 14, 2022, 6:46pm

That would mean you inherited the IP block with it and your host was not responsible for the DDoS. Otherwise you'd need to make absolutely sure your host hasn't been infected with malware, but now there's no reason to do so.

emericv · February 14, 2022, 7:27pm

Yes I think that I inherited a bad IP, also blocked against Outlook post master...

Lestencrypt: One thread, problem resolved until several hours

Outlook: one month of exchange by email, and no forward
With Yahoo postmaster service, those are the worst services where I had to exchange....

system · March 16, 2022, 7:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.