Curl: (35) TCP connection reset by peer

HI Guys

Been struggling for a while, not sure what im doing wrong

Please assist, any help will be appreciated

seems to be only cloud fare that fails, I've checked every possible firewall issue

our Plesk server is failing to issue certificates from these 2 ips

i get this error when testing curl

my Ipv4 is 41.87.196.29 and 102.130.80.29

curl -v https://acme-v02.api.letsencrypt.org

  • About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
  • Trying 172.65.32.248...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • NSS error -5961 (PR_CONNECT_RESET_ERROR)
  • TCP connection reset by peer
  • Closing connection 0
    curl: (35) TCP connection reset by peer

Many Thanks

J

1 Like

Welcome @jandreolivier

Can you show result of these:

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head

curl https://www.cloudflare.com/cdn-cgi/trace

curl https://google.com
3 Likes

Please show the route table:
netstat -nr

3 Likes

Here is results, thank you

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head

write:errno=104
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported

curl https://www.cloudflare.com/cdn-cgi/trace
curl: (35) TCP connection reset by peer

curl https://google.com

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 41.87.196.17 0.0.0.0 UG 0 0 0 eth0
41.87.196.16 0.0.0.0 255.255.255.240 U 0 0 0 eth0

Which IP was that from?

Do you get same results from both IP in post #1?

ADD:
And, given this:

What happens if you access https://www.cloudflare.com from a browser? Do you get any kind of Captcha page or something?

2 Likes

What shows?:
curl https://beer4.work/cipher.html

2 Likes

curl https://beer4.work/cipher.html
Cipher = TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384
IP address = 41.87.196.29
User Agent = "curl/7.29.0"

IP address = 41.87.196.29

Im not getting a captcha from my pc, however its not on the same network as the hosting server, not sure how to check command line if get one on remote server

I was hoping you had a browser on the failing IP. At least some Cloudflare blocks will apparently show you a Captcha screen where you can prove you are a nice human and not a bad bot.

I understand if you don't have a browser on the server though.

The failing connect to Cloudflare likely means it is not a Let's Encrypt problem. Except of course that LE uses Cloudflare so you can't get to LE.

I'm not sure what to do. Hopefully another volunteer will. Maybe Rudy.

3 Likes

I'd guess it's just that the IP is blocked, or it previously did something to flag itself as a bot to Cloudflare. Just try a different CA (like ZeroSSL or BuyPass Go).

3 Likes

Thanks so much for all the advice and info, ill try and ssh tunnel in and route myself through the server to see if get a captcha.

Thanks guys

3 Likes

What does this show?

sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org

and maybe compare to this

sudo traceroute -T -p 443 www.cloudflare.com
3 Likes

Ok after involving my upstream peering ISP, and ssh tunnel proxy in and testing with a browser, looks like the upstream vendor is having some routing issues, They changed the way its routing and now it resolved and all my certs updated and connection reset is gone. Thanks you again all for the quick help

Cheers

J

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.