Dehydrated: curl returned with 35

Help
1

Good afternoon. I'm using dehydrated to generate certificates for the nginx web server. It stopped working a couple of months ago. What could be the reason?

I read this forum on this error, I did not find the answer. Already installed a new version of the Debian distribution.

Last ERROR:

 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 13 authorizations URLs from the CA
ERROR: Problem connecting to server (post for https://acme-v02.api.letsencrypt.org/acme/authz-v3/93657290720; curl returned with 35)
EXPECTED value GOT EOF
2

ipv4: 92.53.119.139
ipv6: 2a03:6f00:4::5c35:778b

curl -V
curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1n zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3
Release-Date: 2020-12-09
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

curl -v https://acme-v02.api.letsencrypt.org/directory
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
* Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Feb 25 15:51:40 2022 GMT
*  expire date: May 26 15:51:39 2022 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ce0b4505c0)
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx
< date: Sun, 03 Apr 2022 08:30:19 GMT
< content-type: application/json
< content-length: 658
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
{
  "ib9TT_EQIHc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
}

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = acme-v02.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
DONE 

cat /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
3 
ping acme-v02.api.letsencrypt.org
PING acme-v02.api.letsencrypt.org(2606:4700:60:0:f53d:5624:85c7:3a2c (2606:4700:60:0:f53d:5624:85c7:3a2c)) 56 data bytes
64 bytes from 2606:4700:60:0:f53d:5624:85c7:3a2c (2606:4700:60:0:f53d:5624:85c7:3a2c): icmp_seq=1 ttl=58 time=36.6 ms
64 bytes from 2606:4700:60:0:f53d:5624:85c7:3a2c (2606:4700:60:0:f53d:5624:85c7:3a2c): icmp_seq=2 ttl=58 time=36.1 ms
64 bytes from 2606:4700:60:0:f53d:5624:85c7:3a2c (2606:4700:60:0:f53d:5624:85c7:3a2c): icmp_seq=3 ttl=58 time=36.1 ms
64 bytes from 2606:4700:60:0:f53d:5624:85c7:3a2c (2606:4700:60:0:f53d:5624:85c7:3a2c): icmp_seq=4 ttl=58 time=36.2 ms
^C
--- acme-v02.api.letsencrypt.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 36.087/36.266/36.626/0.215 ms

traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  5.23.48.1 (5.23.48.1)  12.349 ms  12.375 ms  12.360 ms
 2  spb-sel-cr2.ae61-1244.rascom.as20764.net (81.27.252.93)  0.981 ms ae3-203.RT.SL.SPB.RU.retn.net (87.245.228.196)  0.911 ms *
 3  * ae2-7.RT1.M9.MSK.RU.retn.net (87.245.233.91)  13.345 ms *
 4  * 80.64.108.35.rascom.as20764.net (80.64.108.35)  12.039 ms *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
4

CURLE_SSL_CONNECT_ERROR (35)

A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others. libcurl - Error Codes

Well, curl can connect...

Dehydrated can as well... does this always happen? (And does dehydrated have a verbose mode?)

1 Like
5

As far as I understand, there is no detailed output..

Now first run:

 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
ERROR: Problem connecting to server (post for https://acme-v02.api.letsencrypt.org/acme/new-order; curl returned with 35)

Now two run:

 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
ERROR: Problem connecting to server (head for https://acme-v02.api.letsencrypt.org/acme/new-nonce; curl returned with 35)
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/order/477993930/76947189020 (Status 400)

Details:
HTTP/2 400
server: nginx
date: Sun, 03 Apr 2022 10:06:49 GMT
content-type: application/problem+json
content-length: 112
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0101gahxQ9kOZ0EDjRS3Vr3igfKqBo5roks6iU4iExsdwmM

{
  "type": "urn:ietf:params:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

EXPECTED value GOT EOF
6

Yeah, that's a lot more informative. Dehydrated is somehow messing up while making the request.

1 Like
7

It's interesting now.. I ran three times in a row.

First

fury:/opt/dehydrated# su _dehydrated -c '/opt/dehydrated/dehydrated --cron' -s /bin/bash
# INFO: Using main config file /opt/dehydrated/config
Processing filiri.ru
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
ERROR: Problem connecting to server (post for https://acme-v02.api.letsencrypt.org/acme/new-order; curl returned with 35)
fury:/opt/dehydrated#
fury:/opt/dehydrated#
fury:/opt/dehydrated# su _dehydrated -c '/opt/dehydrated/dehydrated --cron' -s /bin/bash
# INFO: Using main config file /opt/dehydrated/config
Processing filiri.ru
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for filiri.ru
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for filiri.ru authorization...
ERROR: Problem connecting to server (post for https://acme-v02.api.letsencrypt.org/acme/chall-v3/93673168460/h73L3A; curl returned with 35)
EXPECTED value GOT EOF

Two

fury:/opt/dehydrated# su _dehydrated -c '/opt/dehydrated/dehydrated --cron' -s /bin/bash
# INFO: Using main config file /opt/dehydrated/config
Processing filiri.ru
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
ERROR: Problem connecting to server (head for https://acme-v02.api.letsencrypt.org/acme/new-nonce; curl returned with 35)
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)

Details:
HTTP/2 400
server: nginx
date: Sun, 03 Apr 2022 10:39:49 GMT
content-type: application/problem+json
content-length: 112
boulder-requester: 477993930
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0002QiY_o8Fm5z-rnuUcdylBoma7ojQm0coKD05EHNWQfuA

{
  "type": "urn:ietf:params:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

Three

fury:/opt/dehydrated# su _dehydrated -c '/opt/dehydrated/dehydrated --cron' -s /bin/bash
# INFO: Using main config file /opt/dehydrated/config
Processing filiri.ru
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for filiri.ru
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for filiri.ru authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
8

Is it dehydrated, is it the network between you and Let's Encrypt?

Might be both.

1 Like
9

I did not understand the question..

10

I was thinking aloud.

1 Like
11

If I understand the point correctly, you mean that the problem is in the network between my vps and Let's Encrypt. This is possible because the behavior of the script is very strange. At the same time, I found on this forum that in January or March (I don’t remember anymore) there was a problem between the data centers from St. Petersburg and Let's Encrypt, but it says that it was solved.

Here is another example of several launches..

fury:/opt/dehydrated# su _dehydrated -c '/opt/dehydrated/dehydrated --cron' -s /bin/bash
# INFO: Using main config file /opt/dehydrated/config
ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 35)
EXPECTED value GOT EOF
fury:/opt/dehydrated# su _dehydrated -c '/opt/dehydrated/dehydrated --cron' -s /bin/bash
# INFO: Using main config file /opt/dehydrated/config
Processing sochiwifi.ru
 + Creating new directory /opt/dehydrated/certs/sochiwifi.ru ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for sochiwifi.ru
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for sochiwifi.ru authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
ERROR: Problem connecting to server (post for https://acme-v02.api.letsencrypt.org/acme/cert/04afe9663e48c46c838b9acaa3a89b60d6b5; curl returned with 35)
fury:/opt/dehydrated# su _dehydrated -c '/opt/dehydrated/dehydrated --cron' -s /bin/bash
# INFO: Using main config file /opt/dehydrated/config
ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 35)
EXPECTED value GOT EOF
fury:/opt/dehydrated# su _dehydrated -c '/opt/dehydrated/dehydrated --cron' -s /bin/bash
# INFO: Using main config file /opt/dehydrated/config
Processing sochiwifi.ru
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
ERROR: Problem connecting to server (post for https://acme-v02.api.letsencrypt.org/acme/new-order; curl returned with 35)
fury:/opt/dehydrated# su _dehydrated -c '/opt/dehydrated/dehydrated --cron' -s /bin/bash
# INFO: Using main config file /opt/dehydrated/config
Processing sochiwifi.ru
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
ERROR: Problem connecting to server (post for https://acme-v02.api.letsencrypt.org/acme/authz-v3/94367560490; curl returned with 35)
EXPECTED value GOT EOF```
12

Do you think Roskomnadzor is getting in the way?

Or maybe some BGP route wasn't properly updated after one of the Russian depeerings?

1 Like
13

I would lean more towards the second option. But it's strange that it works intermittently..

14

I'll write to my vps provider, let's see what they say. If this is not Roskomnadzor, then they may be able to help.

15

As a result, the technical support of my VPS did not help me. But from other sources, I received information that there was a problem with the transport backbone providers and around April 5 they fixed it. Since then everything has been working fine. The problem was not 1 month ..

1 Like
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.