After working on renewing certificates for a specific web server, I suspect I might have an IP block. I reviewed a similar issue discussed in the thread Can’t connect to acme-v02.api.letsencrypt.org but I’m not certain if this is the cause. I’m unable to access https://acme-v02.api.letsencrypt.org/directory using curl.
I ran this command:https://acme-v02.api.letsencrypt.org/directory
Trying 172.65.32.248...
TCP_NODELAY set
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0 )
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
Curl_http_done: called premature == 1
Closing connection 0acme-v02.api.letsencrypt.org:443
1 Like
Welcome @kingsamadesu but an IP block is not likely as none are currently active. When these were done the symptom would have been different anyway.
That is an unusual error. Just to gather more info what do these show?
openssl version
openssl ciphers -V 'ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH'
4 Likes
HI there @MikeMcQ ,openssl ciphers.txt (8.8 KB)
1 Like
And, what does this show?
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | (head -15)
2 Likes
Here is the output of the command:
write:errno=104
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
What about these?
curl https://www.cloudflare.com/cdn-cgi/trace
curl https://google.com
And, what is the IP you are trying to connect from? Is there a public DNS entry that points to it? If so, what is that?
3 Likes
rg305
August 28, 2024, 11:17pm
8
1 Like
Isn't that for comms from LE Auth servers to their server? Rather than this failure from them to the LE API?
3 Likes
rg305
August 29, 2024, 1:00am
10
hmm...
1 Like
this'd be right one about bannding tls 1.1 on inbound
1 Like
kingsamadesu:
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
Yes, but it looks like they have TLS 1.2 - yes?
3 Likes
Here is the output (sorry for the late response):https://www.cloudflare.com/cdn-cgi/trace
fl=568f65
h=www.cloudflare.com
ip=102.222.176.6
ts=1724920979.987
visit_scheme=https
uag=curl/7.52.1
colo=MAD
sliver=none
http=http/1.1
loc=MA
tls=TLSv1.2
sni=plaintext
warp=off
gateway=off
rbi=off
kex=P-256
curl -v https://google.com
* Rebuilt URL to: https://google.com/
* Trying 142.250.201.78...
* TCP_NODELAY set
* Connected to google.com (142.250.201.78) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=*.google.com
* start date: Jul 30 12:32:53 2024 GMT
* expire date: Oct 22 12:32:52 2024 GMT
* subjectAltName: host "google.com" matched cert's "google.com"
* issuer: C=US; O=Google Trust Services; CN=WR2
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-VIQfS-NbyxE5Hbopv1FM9g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< Date: Thu, 29 Aug 2024 08:47:01 GMT
< Expires: Sat, 28 Sep 2024 08:47:01 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 220
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Curl_http_done: called premature == 0
* Connection #0 to host google.com left intact
1 Like
No worries. Very odd. Thanks for info.
We should check the routing. What does this show?
sudo traceroute -T -p443 acme-v02.api.letsencrypt.org
Also, connections to the public IP shown in the Cloudflare info use a self-signed cert with a name CCZ-GP-CA. Do you recognize that? Is that some kind of network routing or security device? Does it have logs that might have more details on the connection failure?
2 Likes
I think it might be useful to see output of this whole thing, without the pipe to head at the end.
2 Likes
system
September 28, 2024, 7:38pm
17
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.