tgvd
March 5, 2025, 11:40am
1
Hello,
We are experiencing problems with renewing/getting new certificates.
My domain is: origin-www.epassport.gov.bd
I ran this command: curl -v -i https://acme-v02.api.letsencrypt.org/directory
It produced this output:
Trying 172.65.32.248...
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0 )
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
Closing connection 0acme-v02.api.letsencrypt.org:443
The initial error is:https://acme-v02.api.letsencrypt.org/directory ; curl returned with 35) EXPECTED value GOT EOF
we run dehydrated script on an F5 Big IP, it was running since 2022 successfully until 14.02.2025
Thanks and BR!
1 Like
tgvd
March 5, 2025, 12:08pm
2
The initial error from 14.02.2025:
Checking expire date of existing cert...
Valid till Mar 13 16:47:11 2025 GMT (Less than 30 days). Renewing!
Signing domains...
Generating private key...
Generating signing request...
Requesting new certificate order from CA...
Received 2 authorizations URLs from the CA + Handling authorization for origin-01.epassport.gov.bd + Handling authorization for origin-www.epassport.gov.bd + 2 pending challenge(s) + Deploying challenge tokens...
Responding to challenge for origin-01.epassport.gov.bd authorization...https://acme-v02.api.letsencrypt.org/acme/new-nonce ; curl returned with 35)https://acme-v02.api.letsencrypt.org/acme/chall/305902250/475960504345/HHBsng ; curl returned with 35) EXPECTED value GOT EOF
tgvd
March 5, 2025, 12:24pm
3
I changed the dehydrated script from v 0.6.6 to v0.7.2:
now the following output:
Processing origin-01.epassport.gov.bd with alternative names: origin-www.epassport.gov.bd
Checking domain name(s) of existing cert... unchanged.
Checking expire date of existing cert...
Valid till Mar 13 16:47:11 2025 GMT (Less than 30 days). Renewing!
Signing domains...
Generating private key...
Generating signing request...
Requesting new certificate order from CA...https://acme-v02.api.letsencrypt.org/acme/new-nonce ; curl returned with 35)https://acme-v02.api.letsencrypt.org/acme/new-order ; curl returned with 35)
tgvd
March 5, 2025, 12:24pm
4
curl --version
curl 7.47.1 (x86_64-redhat-linux-gnu) libcurl/7.47.1 OpenSSL/1.0.2z zlib/1.2.7 libidn/1.28 libssh2/1.8.0 nghttp2/1.31.1
1 Like
Last I heard there were no longer any IP blocks that would explain the curl 35 "EOF" error
This is more likely a network routing issue near your facility or some new firewall setting.
Maybe one of these will show something to identify the problem. Please show output of these:
sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
curl https://www.cloudflare.com/cdn-cgi/trace
curl -I https://google.com
4 Likes
tgvd
March 5, 2025, 1:18pm
6
Hi Mike, thank you for your feedback. Please find output below:
traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 103.179.140.1 (103.179.140.1) 0.528 ms 0.883 ms 0.445 ms
2 172.16.17.14 (172.16.17.14) 1.403 ms 1.392 ms 1.493 ms
3 123.49.8.41 (123.49.8.41) 1.511 ms 1.467 ms 2.372 ms
4 123.49.13.21 (123.49.13.21) 1.802 ms 1.759 ms 1.728 ms
5 180.211.200.3 (180.211.200.3) 2.345 ms 2.533 ms 1.712 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * 172.65.32.248 (172.65.32.248) 1.588 ms
curl https://www.cloudflare.com/cdn-cgi/trace
fl=530f20
h=www.cloudflare.com
ip=103.179.140.17
ts=1741180635.919
visit_scheme=https
uag=curl/7.47.1
colo=DAC
sliver=none
http=http/2
loc=BD
tls=TLSv1.2
sni=plaintext
warp=off
gateway=off
rbi=off
kex=P-256
curl -I https://google.com
HTTP/2.0 301
location:https://www.google.com/
content-type:text/html; charset=UTF-8
content-security-policy-report-only:object-src 'none';base-uri 'self';script-src 'nonce-SbKe5S0lcUZhny1im9K3sw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
date:Wed, 05 Mar 2025 13:17:38 GMT
expires:Fri, 04 Apr 2025 13:17:38 GMT
cache-control:public, max-age=2592000
server:gws
content-length:220
x-xss-protection:0
x-frame-options:SAMEORIGIN
alt-svc:h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
1 Like
let's see literal everything:curl --trace-config ssl --trace ssl.log https://acme-v02.api.letsencrypt.org/directory
and could you ssl.log file here after this?
2 Likes
@orangepizza --trace-config was new in curl 8.3. If they can't upgrade their curl would this be enough for you?
curl --trace ssl.log https://acme-v02.api.letsencrypt.org/directory
3 Likes
It'd more verbose so it'd work.
2 Likes
tgvd
March 5, 2025, 5:37pm
10
unfortunately as Mike said --trace-config option is not available. please find attached the ssl.log with just --tracessl.log.txt (27.0 KB)
1 Like
Hmm. That ssl.log.txt looks like a successful connection. I am not expert at those logs so not certain. But, did curl report the error 35 error for that test?
2 Likes
tgvd
March 5, 2025, 6:01pm
12
this was the output:
curl --trace ssl.log https://acme-v02.api.letsencrypt.org/directory
{
"6o-N7KUdRQ4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"profiles": {
"classic": "https://letsencrypt.org/docs/profiles#classic",
"shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
"tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver (not yet generally available)"
},
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
tgvd
March 5, 2025, 6:15pm
13
here is another test:
echo|openssl s_client -connect acme-v02.api.letsencrypt.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
---
Certificate chain
0 s:/CN=acme-v02.api.letsencrypt.org
i:/C=US/O=Let's Encrypt/CN=R10
1 s:/C=US/O=Let's Encrypt/CN=R10
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFrDCCBJSgAwIBAgISBLfOfy3OuhvABIH1/VFDyvRZMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjUwMTE3MjIyMjM5WhcNMjUwNDE3MjIyMjM4WjAnMSUwIwYDVQQD
ExxhY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAqCYrI3QIo5FC0BoeJhh45CO2GguwjDcAhgfa63uR+ne8
3H45jDjG+usiRYY8MztRc0giID7J+vxetRI2VDQsX1KndQ306QTvVYtTzVVn5CQE
QpsIjg0NC3d2pndxqs1gfibzz2DtitdJ7xtILyOJ3eGd8DD2wba2DO7pexeqtQAG
pAU6lm7Y+iQxBnEaNjt1XjQd1f0dQzYql31nrcTTV85HS4/RtjWAcihcJVDHIBDo
5wXJmsFvOx07pzCw/ASmie3dm1wIatNdORVL+v7S3tpMWiy9r47pPRHthGuEQolG
iujgNM0c4b9gnebLTnyRqNpfisq3Vv+O7MyYXlnoywIDAQABo4ICxDCCAsAwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBQmUfogWQgxeO3UhCXxhvhgTbTxbzAfBgNVHSME
GDAWgBS7vMNHpeS8qcbDpHIMEI2iNeHI6DBXBggrBgEFBQcBAQRLMEkwIgYIKwYB
BQUHMAGGFmh0dHA6Ly9yMTAuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6
Ly9yMTAuaS5sZW5jci5vcmcvMIHJBgNVHREEgcEwgb6CHmFjbWUtdjAyLTEuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jn
gh5hY21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jn
ghxhY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnMBMGA1UdIAQMMAowCAYGZ4EM
AQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAzPsPaoVxCWX+lZtTzumyfCLp
hVwNl422qX5UwP5MDbAAAAGUdpIJ/wAABAMARzBFAiBtADLFtzCCuPjGwsdFkM8n
A8g0RMZ2z+ubqvWbnjDJoQIhAJd4AktX+Kw2DKgeRzHhsBJNpPUFqLvm2icaqsag
8ON9AHcATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGUdpIJ6AAA
BAMASDBGAiEAhswrqBJyP3SJKZble2KvJOjLoEnk2GdX/DC4gQVq3LoCIQCvS/yp
IiS4nEv1h3kkDjyCnVcmdG0HzQwGnv6sUXUxkjANBgkqhkiG9w0BAQsFAAOCAQEA
stuLPCKLfwWEqGgiuDD5nFd4UesdkkqcQi70Zeq1Ia5CVKmfQmn+jCtfFwYXUXOE
lgidHSqPtTGECR0CsB+3i9DDuLgg2oL7mc9yqXhn2nEbsPBnnpuw/odEhICmXLUA
1RkErgGv4PzgSMagSulTzOxM9ILlh4Gi1pQu1jb2QOQOXYU4EYuHHTGFVLJhmjEe
4W5FTLs3sdD/F3k07hK5C1XDjiM4B6T8eUBYvh/XXPKxCcE0JF26TtLLTuqM2Tt+
6EGbkBzUzV2RsEgZp5On98zNxlYad7yV22y8dcS4WZsaEJq4iWfxScshcxNCTvYa
N5shURw5OWsOQ5NL8KnjDw==
-----END CERTIFICATE-----
subject=/CN=acme-v02.api.letsencrypt.org
issuer=/C=US/O=Let's Encrypt/CN=R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3259 bytes and written 383 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: B18F72580B14B242360E600C8BCE2A8E2FE613E006D7F73C22414620FE95267D
Session-ID-ctx:
Master-Key: 252E7B4059E1DFA280A1EBDBD5E12C8157A931E70B61CAB5E2D786B31705899C3695022CC0A0E2E2E3763C7F8146106D
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1741198515
Timeout : 300 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
DONE
1 Like
So it looks like you can connect successfully now? Maybe your upstream ISP just had an outage to connecting to parts of the Internet.
2 Likes
That openssl result is good. And, that curl with the log was successful too.
That is a big change from the curl you showed in first post.
Does dehydrated work now?
If nothing else we know for sure your IP is not banned because otherwise these latest tests would fail too.
2 Likes
Supplemental there are some DNS issues here, several "Inconsistency between delegation and zone."https://check-your-website.server-daten.de/?q=origin-www.epassport.gov.bd#comments
And a few issues here origin-www.epassport.gov.bd | DNSViz
2 Likes
Maybe but quite a coincidence if it starts working now after being out since Feb14
3 Likes
The DNSViz issues are definitely something to review. The Warnings at that page a good place to start.
But, just want to clarify this is a different issue that might affect inbound connections to that domain. The initial problem is one for an outbound connection to Let's Encrypt.
Perhaps this DNS problem was what started in Feb14 and prevented cert renewal. And a different problem with outbound started more recently?
But, for sure should look at the DNSViz report. Especially this
gov.bd to epassport.gov.bd: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the gov.bd zone): a4-65.akam.net , a3-66.akam.net , a5-66.akam.net See RFC 1034, Sec. 4.2.2.
4 Likes
tgvd
March 5, 2025, 8:12pm
20
no, unfortunately still the same
# INFO: Using main config file /shared/letsencrypt/config
ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 35) EXPECTED value GOT EOF
1 Like
