Hi,
This is an odd one, I have a user who is having problems on one server (Windows Server 2019, using Certify The Web) when performing ACME orders with Let's Encrypt. Normal communication with the API works fine until they get to the Finalize step and the connection abruptly drops.
System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host
Here is an excerpt from the debug log. You can see the POST to get the current status of the Order works fine:
2022-11-14 14:59:49.735 +01:00 [DBG] Http Request: Method: POST, RequestUri: 'https://acme-v02.api.letsencrypt.org/acme/order/801624272/142965326657', Version: 1.1, Content: System.Net.Http.StringContent, Headers:
{
User-Agent: Certify/5.6.8.0
User-Agent: (Windows; Microsoft Windows NT 10.0.17763.0)
User-Agent: Certes/2.4.0.0
User-Agent: .NET/4.0.30319.42000
Content-Type: application/jose+json
}
---
---
2022-11-14 14:59:50.060 +01:00 [DBG] Http Response: StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
Connection: keep-alive
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 327CnFxulwQ9Z9s4qoZjV6pDp-n7_TtyO0l_2akSVR7bH7U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Cache-Control: public, no-cache, max-age=0
Date: Mon, 14 Nov 2022 13:59:50 GMT
Server: nginx
Content-Length: 334
Content-Type: application/json
}
2022-11-14 14:59:50.060 +01:00 [DBG] {
"status": "ready",
"expires": "2022-11-18T06:53:15Z",
"identifiers": [
{
"type": "dns",
"value": "torntwig.se"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/174856301377"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/801624272/142965326657"
}
However the followup POST to /acme/finalize
kills the connection at the transport level:
2022-11-14 14:59:50.075 +01:00 [DBG] Http Request: Method: POST, RequestUri: 'https://acme-v02.api.letsencrypt.org/acme/finalize/801624272/142965326657', Version: 1.1, Content: System.Net.Http.StringContent, Headers:
{
User-Agent: Certify/5.6.8.0
User-Agent: (Windows; Microsoft Windows NT 10.0.17763.0)
User-Agent: Certes/2.4.0.0
User-Agent: .NET/4.0.30319.42000
Content-Type: application/jose+json
}
2022-11-14 14:59:50.075 +01:00 [DBG] {"protected":"eyJhbGciOiJFUzI1NiIsImtpZCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODAxNjI0MjcyIiwibm9uY2UiOiIzMjdDbkZ4dWx3UTlaOXM0cW9aalY2cERwLW43X1R0eU8wbF8yYWtTVlI3Ykg3VSIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2ZpbmFsaXplLzgwMTYyNDI3Mi8xNDI5NjUzMjY2NTcifQ","payload":"eyJjc3IiOiJNSUlDbkRDQ0FZUUNBUUF3RmpFVU1CSUdBMVVFQXd3TGRHOXliblIzYVdjdWMyVXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDLWpCdlVFVERMRkFITHh6X0RfTGVnaUxoTHc4cGF5Y2kyMDBEckFhcEpiNlIzeU5ILTJyMW9YZWJvYkpVOEN5Y0wwYXFuRFJvVFBFOTFLNlRNblBrZ015QVZQTUhyZm1sZ0tfbnlmOEZxbzBtQ2hYQUtJRl9DUTFFeVFtVGVVVE1FRjdxbnlxSDJGNW1DRGRWd284RHdRZ1k2MTNHTjBZRDdGMHQta0xnX0pqeXpvd3JEM09RZ3djSzItdk5MVjFGbTB0b09LTG4zNXczV3RSenF3cXBGY2daQzhMb3hlX2xzQlJwd2lES1hWNmZZU0ZEbWFCZVJaU0ZFbVR5bHFxT1BGYTZVSUxFNGRzNURNZXVhRFpaUE9GY0pWUDFoZTJ1eUNES05LUTFiZWtjQm5ZZnpnbnNEYmY4dTFrR3ZPcFhfZkpCaUFYcXdsT1YwQWlYSjA2b1BBZ01CQUFHZ1FUQV9CZ2txaGtpRzl3MEJDUTR4TWpBd01Ba0dBMVVkRXdRQ01BQXdDd1lEVlIwUEJBUURBZ1dnTUJZR0ExVWRFUVFQTUEyQ0MzUnZjbTUwZDJsbkxuTmxNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJGQWNfSUtub1ExNV9ZbThjdTN0YnNIb1pyUVZTYUluX00zRTlmTHdvbWU3TnFXQzh5b1pvS1Z3Rkk3dVVmUTNsUnViZFVpWlpSb0traXNaZFR1VmpmWWtGMFJLT29LcGRGbUpfa0ltajhfTWp5SmNvaVRJRUpjSC0xaWhROEJHeEp6azJEWTlMVFVTX2x3Vjd1QTluUDVWdVpsMUFBaEE3TEo5cklRcHZRNEFHOVF3YkZDSWlFaDBNSVcwWUhiZlRiMWtHSXI1RDJpb1QtWkVYenZJR2s4Yk83em80YWRXWTdfWl9zbHVyMUxpeXltZEhwUGI3RmpvbW5GbTJKUnA0U2ZpdXBTOVo2MmVpcFRZNTctVTRuT3FrS05EODJnTmdDc0NkcGY0dU9WUVBnbWI2V1luREd2REhBVTFDbUhZZVRJN3JCR1dQRG0zMkVXMWhEeDBMdCJ9","signature":"[redacted]"}
There is no http error returned from the server, it's appears to be a failure at the TCP or TLS level:
2022-11-14 14:59:51.130 +01:00 [ERR] Certificate request process failed: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Any thoughts ?
The users says there is no firewall or malware preventing communication on their side.
Are there any known conditions where LE will just drop a connection other than when an IP is blocked? For instance, could it be a rate limit or some other kind of protection?