Could not obtain directory: cURL error 28: SSL connection timeout

Could you please check if our IP 182.18.131.60 is blocked?

My domain is:aramanagementsolutions.com

I ran this command: curl -vvv https://acme-v02.api.letsencrypt.org/directory

It produced this output:
ubuntusvr01:~# curl -vvv https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS header, Finished (20):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • OpenSSL SSL_connect: Connection reset by peer in connection to acme-v02.api.letsencrypt.org:443
  • Closing connection 0
  • TLSv1.2 (OUT), TLS header, Unknown (21):
  • TLSv1.3 (OUT), TLS alert, decode error (562):
    curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to acme-v02.api.letsencrypt.org:443

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Latest Version

Server has access to internet and able to curl other sites hosted out there.

Hello @rmpqube, welcome to the Let's Encrypt community. :slightly_smiling_face:

Let’s Encrypt offers Domain Validation (DV) certificates; presently not IP Addresses.

This is an test from your server to Let's Encrypt

Presently, thus I suggest waiting, using the online tool Let's Debug yields these results
https://letsdebug.net/incv-phstpsk01.ltshost.com/1960382

1 Like

But I have filled out the questionnaire in the original post! not sure what am I missing!

The test I ran says we are not able to connect to Let's Encrypt as it is being reset by peer. Hence, we wanted to check if our IP Address is blocked or not for some reason.

Thank you for the Let's Debug result, does this usually go away and fix on itself?

A blocked IP address is very rare. And, the error is usually different than "reset by peer". It has been so long that we have seen one I don't remember exactly what it was but something like "EOF". I do not think your IP is blocked.

Are you able to make other outbound requests? What do these show? You don't have to show every line. Just any error or the HTTP response code and any "server:" response header.

curl -I https://cloudflare.com
curl -I https://google.com

I would also be interested to see result of below.

sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
3 Likes

That is the status of Let's Encrypt itself. And, yes, those go away by themselves. It is just a warning that certain problems may be caused by LE and not your system.

It is just a display from this page which now shows all systems operational

3 Likes

root@ubuntusvr01:~# traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 _gateway (10.1.20.1) 0.666 ms * *
2 static-43-254-43-129.ctrls.in (43.254.43.129) 1.297 ms 1.504 ms 1.863 ms
3 198.18.21.45 (198.18.21.45) 1.840 ms 198.18.21.49 (198.18.21.49) 1.705 ms 198.18.21.45 (198.18.21.45) 1.908 ms
4 198.18.21.53 (198.18.21.53) 1.890 ms 198.18.21.57 (198.18.21.57) 4.469 ms 198.18.21.53 (198.18.21.53) 2.627 ms
5 198.18.23.165 (198.18.23.165) 2.612 ms 2.650 ms 125.19.192.89 (125.19.192.89) 4.403 ms
6 116.119.61.204 (116.119.61.204) 116.093 ms 116.119.57.80 (116.119.57.80) 129.526 ms 125.19.192.89 (125.19.192.89) 4.689 ms
7 116.119.57.88 (116.119.57.88) 117.855 ms * *
8 162.158.20.240 (162.158.20.240) 145.714 ms * 162.158.20.18 (162.158.20.18) 154.740 ms
9 172.65.32.248 (172.65.32.248) 145.663 ms 162.158.20.31 (162.158.20.31) 145.643 ms 146.677 ms

Trace looks good, and curl google and cloudflare is also good

root@ubuntusvr01:~#curl -I https://google.com
HTTP/2 301
server: gws

root@ubuntusvr01:~# curl -I https://cloudflare.com
HTTP/2 301
server: cloudflare

1 Like

Agreed. I reached out to staff and an insider group. Hopefully more info soon.

3 Likes

Couple other things to see if you can connect to them:

curl https://dv.acme-v02.test-api.pki.goog/directory
curl https://acme-staging-v02.api.letsencrypt.org/directory
curl -I https://valid-isrgrootx1.letsencrypt.org/
curl -I https://valid-isrgrootx2.letsencrypt.org/
curl -I https://helloworld.letsencrypt.org/

I'm not really sure what to do with the outcome of those, one way or the other, but might be helpful for checking whether it's just the one specific part of Let's Encrypt's infrastructure or more than that.

4 Likes

Sorry @rmpqube, the C-n-P buffer didn't have in it what I thought it did. I've edited that post.

3 Likes

curl https://acme-staging-v02.api.letsencrypt.org/directory

I tried this and it also has the same issue, will try others when I have access

This IP is not blocked.

3 Likes

When you have time to try again, please try this:

curl -vv http://acme-v02.api.letsencrypt.org:443/

That will send a http request to the https port (credit to @jcjones for helping me figure out how to route a http request into this)

If you get a 400 status code with this in it <head><title>400 The plain HTTP request was sent to HTTPS port</title></head>, that would suggest to me there is something wrong with your server's openssl implementation or configuration. If you get another dropped connection, you may need to contact Cloudflare (they could be rejecting your ip) or your ISP (potential networking issues) for further help.

5 Likes

Given the IP is not blocked by Let's Encrypt there must be something else doing that.

I know the traceroute reached the LE API. But, could some other security device be inspecting outgoing requests for specific URLs?

I'm not sure what these might tell us in this case but can you show results of below. I am also curious to see results from Peter's list a few posts back. We really are just trying things hoping to see something unexpected. That might help identify what exactly is blocking your request.

Try using HTTP to that domain but forcing port 443
(update: @jvanasco beat me to this one :slight_smile: - we cross-posted )

curl -vv http://acme-v02.api.letsencrypt.org:443/

and using HTTPS but without the /directory URI

curl -vv https://acme-v02.api.letsencrypt.org
3 Likes

I think we ruled that out earlier when trying their domain in post #5.

3 Likes

Its working now! We did not make any changes and it started working on its on. :no_mouth: