Curl: (35) Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443

naveedkumbhar · October 1, 2021, 10:42am

We are trying to install wildcard ssl but this error comes up

My domain is:
innercirclegamingclub.com
I ran this command:
curl -v https://acme-v02.api.letsencrypt.org/directory

It produced this output:

Trying 172.65.32.248...
TCP_NODELAY set
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
Curl_http_done: called premature == 0
Closing connection 0
curl: (35) Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443

My web server is (include version):
apache
The operating system my web server runs on is (include version):
debian9
My hosting provider, if applicable, is:
vultr
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
not using

rg305 · October 1, 2021, 4:54pm

Hi @naveedkumbhar, welcome to the LE community forum

Please show the output of:
curl --version

and test to another site, like:
curl -v https://google.com/

ezekiel · October 1, 2021, 4:57pm

Is this happening consistently on every attempt? How long does the connection take before getting the error?

naveedkumbhar · October 1, 2021, 5:37pm

Thanks @rg305

the output of curl --version

curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2u zlib/1.2.8 libidn2/2.2.0 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

out put of different site curl -v https://google.com/

*   Trying 172.217.175.46...
* TCP_NODELAY set
* Connected to google.com (172.217.175.46) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.google.com
*  start date: Sep 13 01:38:37 2021 GMT
*  expire date: Nov 20 01:38:36 2021 GMT
*  subjectAltName: host "google.com" matched cert's "google.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x556d7b79bed0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 301
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< date: Fri, 01 Oct 2021 17:36:54 GMT
< expires: Sun, 31 Oct 2021 17:36:54 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Curl_http_done: called premature == 0
* Connection #0 to host google.com left intact

jsha · October 1, 2021, 5:40pm

This may or may not be the source of your problem, but OpenSSL 1.0.2 is no longer supported. I would recommend before spending more time debugging this problem, update your operating system to get a newer version of OpenSSL (and many other packages).

naveedkumbhar · October 1, 2021, 5:56pm

this is happening whenever i try

system · October 31, 2021, 5:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.