Certificate request : connection reset in IPv4

Help
1

Hello!

My Trarfik reverse proxy cannot perform any certificate requests since one day with error like:

Unable to obtain ACME certificate for domains \"xxxxxxxx\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": read tcp 192.168.250.6:48558->172.65.32.248:443: read: connection reset by peer

When I try a request with curl :

# curl -4 -vvv https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

This problem occurs only in IPv4

with IPv6, on the same host and the same shell, it'OK:

# curl -6 https://acme-v02.api.letsencrypt.org/directory
{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "oa_sInefpb4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

Is my IPv4 217.79.184.103 is blocked?

Thanks for your help,
Emeric

1 Like
2

I have found the same problem here Openssl connect error, write:error=104
but no solution :frowning_with_open_mouth:

1 Like
3

I'm not sure if these errors are typical for a blocked IP address, but I think it's a good idea to check it anyway, just to be sure. @lestaff: could you please check this IP address for the block list? Thanks!

4 Likes
4

Ok, related to this issue, Traefik try to renew outdated certificates (on no longer valid domain names) and may cause this issue?

I had cleaned the Traefik certificate store from outdated certificate manually.

1 Like
5

According to this thread/comment, My IP may be blocked as DDoS mitigation...

1 Like
6

That thread indeed also has the "SSL_ERROR_SYSCALL" error mentioned. Let's just wait from the LE staff to check if your IP is indeed blocked or not.

Did you acquire that IP address recently? Or is it in use by your hosts longer already?

4 Likes
7

Yes, that IP address was blocked; I've just unblocked it for you.

8 Likes
8

This IP had been acquired since one month ago approximately...

3 Likes
9

Thanks

3 Likes
10

That would mean you inherited the IP block with it and your host was not responsible for the DDoS. Otherwise you'd need to make absolutely sure your host hasn't been infected with malware, but now there's no reason to do so.

4 Likes
11

Yes I think that I inherited a bad IP, also blocked against Outlook post master...

Lestencrypt: One thread, problem resolved until several hours :slight_smile:

Outlook: one month of exchange by email, and no forward :disappointed_relieved:
With Yahoo postmaster service, those are the worst services where I had to exchange.... :yum:

3 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.