Let's Encrypt Malfunctioning

staples1347 · October 30, 2023, 5:37am

For a week or two now, I have been getting the following error on servers I manage when renewing certificates: curl returned with 35. Right now for example. Manually trying a few hours later will normally succeed.

rg305 · October 30, 2023, 5:48am

Hi @staples1347, and welcome to the LE community forum

What do these show?:
curl -I https://acme-v02.api.letsencrypt.org/directory
openssl s_client -connect acme-v02.api.letsencrypt.org:443 -showcerts

staples1347 · October 30, 2023, 6:44am

On the server where it is failing, "curl -I https://acme-v02.api.letsencrypt.org/directory" shows:

curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to acme-v02.api.letsencrypt.org:443

"openssl s_client -connect acme-v02.api.letsencrypt.org:443 -showcerts" shows:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 330 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Although a few minutes before it returned:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
---
Certificate chain
 0 s:CN = acme-v02.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFwjCCBKqgAwIBAgISBJz9MhmDxtcT/HyKX/GNSj8pMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MDUwNTA4MTdaFw0yMzEyMDQwNTA4MTZaMCcxJTAjBgNVBAMT
HGFjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDSwewhK7n44aX44hf+zkPGZOKRzUMDFYd2EXF4mlV4qDWt
GSOdaBQUuMvFgA/uyIZcV+dCxWweVBtKfpdM2R+FwBnMjzpawmUvQolK5CunfwI8
HL8mzJ5Y/YjnDohzokGY09WeDIHvHa10QqeF+J+0uuoIswoaJifXwKbT0Gx345zW
NVZevxDRGE1ASUeRgQHBmZ9uV7wn1tngszoMfaLPJ4kdGmhsKwDdkL2aXIleRfFU
2tKIyxFCzZIjQkSBSbc0izIdij/NSAY6VLY2itRr3UelaNZMM9Zt6ib86QVvHJus
8atvYAXziJMEUJbwYldQETYuLa2+X3NCjI00A66LAgMBAAGjggLbMIIC1zAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFJ1CEUYG98EFCmZrhh9b23M76OeJMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIHjBgNVHREEgdswgdiCHmFjbWUtdjAyLTEuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jngh5h
Y21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jnghxh
Y21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnghhpbmNpZGVudC5sZXRzZW5jcnlw
dC5vcmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHy
APAAdQC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYpj9LwRAAAE
AwBGMEQCIDCOcqJ9fABkYn/+UC5v0JCkUoL2wRr57nBk2xzs+rJRAiA6J2qOylpA
n4UhrcydzX1AiBRQWl4y4u0v8wO1LrW50AB3AOg+0No+9QY1MudXKLyJa8kD08vR
EWvs62nhd31tBr1uAAABimP0vBsAAAQDAEgwRgIhAISl9+b1VPLmVdmYgHUVylO6
N9jsgsswKWsFEkxj+fEdAiEAw8YT4DBf40sBJqKn0dw+9CT0aVzM3R8Lckod6oeB
nb0wDQYJKoZIhvcNAQELBQADggEBAH4omwov1V9Yrxwt8sWHI4klnTQfXqaO+O0o
ciAbUnJxxkF6eYnXPJ8go5DIuBBpl8M1NfgOfgnyUnqsx7phbYI3fI7jP3UaA73f
9dTP80yZYwUYaJ4inoaL84HA9aBplZHMOG4bShGtbfLhQ1+jrlA9MxzTCdJ2h7D6
S57WqrHrPCHA+iBUASOpqzM3aqYLaL0wEJTHNFjwEyw/kBV8/3h5SrXky76Xl3Y4
Q4gh2VtZE+1d2biZKTkN8DhsGWTLKGV6Wr3hghPSAyh+T7RvwoV3ZMOPuD9Uj1FY
EcNoRj2o4S1hF4JbUwI5cpF+d1fVczL6l/8nW/hfzONcO3Hf2d8=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = acme-v02.api.letsencrypt.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3349 bytes and written 410 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0C5C57FE0B99EE1A81D10297A67110AA9A17AAAFB7FE00FD9DE9D5200459C3FC
    Session-ID-ctx: 
    Resumption PSK: 8F5D9A790E82D88DE60A23B9F7A003AEEB5DD1DF1EA967D5EA9068330917B45D5E397343F2C0317BB02D610CC0AD058C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - cc bc 7e 57 bc eb 97 08-ec 1d c7 61 41 73 66 91   ..~W.......aAsf.
    0010 - 34 73 62 62 56 b1 3f 2b-b3 e8 fc 3a d1 73 cc 00   4sbbV.?+...:.s..

    Start Time: 1698647674
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 82B6A90BBF035F1587B2F684B6450DE8F37337D1F908D591DED149A1BBB2DC4C
    Session-ID-ctx: 
    Resumption PSK: 24CF2F3CBF9864E57502B427851F2BB211C1A21722C7B9CEAC10944CF58EF33BDDA21B3F7AADCCB0CC9B526357CBBD7E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 19 20 3a af 14 4d 24 53-33 2e 44 10 d5 ff 80 aa   . :..M$S3.D.....
    0010 - ab b8 3e 23 c8 52 9f 4e-cb 54 d0 f1 d8 05 48 5e   ..>#.R.N.T....H^

    Start Time: 1698647674
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

nslookup acme-v02.api.letsencrypt.org shows:

Non-authoritative answer:
acme-v02.api.letsencrypt.org    canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org        canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name:   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248

On another server using the same ip that works I am getting with curl:

HTTP/2 200 
server: nginx
date: Mon, 30 Oct 2023 06:41:32 GMT
content-type: application/json
content-length: 752
cache-control: public, max-age=0, no-cache
replay-nonce: x2pLemUf4a3DeRffMx47vupPKdrIXogZqtW0Diikh5WgzLVNKno
x-frame-options: DENY
strict-transport-security: max-age=604800

staples1347 · October 30, 2023, 6:45am

and now when running curl -I ... on the problem server I am getting:
HTTP/2 200
server: nginx
date: Mon, 30 Oct 2023 06:44:47 GMT
content-type: application/json
content-length: 752
cache-control: public, max-age=0, no-cache
replay-nonce: drGA4aWAOgyLEoqwBvKffbFnXo2_CZY1Sbj3JncVR77Pa_AZVSw
x-frame-options: DENY
strict-transport-security: max-age=604800

staples1347 · October 30, 2023, 6:46am

And then running curl -I again failed

staples1347 · October 30, 2023, 6:48am

I see 172.65.32.248 is an anycast IP so here is a traceroute on the problem "client" server and the internet connection is located in Australia:
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 bng02.activ8me.net.au (203.213.240.3) 23.300 ms 23.397 ms 23.408 ms
2 116.250.254.182 (116.250.254.182) 24.309 ms 24.340 ms 24.429 ms
3 ig03.activ8me.net.au (116.250.255.68) 23.891 ms 24.275 ms 24.273 ms
4 ig04.activ8me.net.au (116.250.255.69) 24.387 ms 24.384 ms 24.379 ms
5 as4826.nsw.ix.asn.au (218.100.52.6) 24.815 ms 25.131 ms 25.147 ms
6 * * *
7 be2.bdr01.syd05.nsw.vocus.network (114.31.192.113) 24.702 ms * 24.457 ms
8 static-202.13.255.49.in-addr.VOCUS.net.au (49.255.13.202) 24.731 ms 24.727 ms 24.681 ms
9 108.162.250.5 (108.162.250.5) 24.264 ms 24.920 ms 24.829 ms
10 172.65.32.248 (172.65.32.248) 24.483 ms 24.971 ms 24.807 ms

staples1347 · October 30, 2023, 6:53am

Also, this specific server has a static ip so shouldn't be getting blocked due to attacks with a shared ip or cgnat.

staples1347 · October 30, 2023, 7:07am

I see fireflyoz is also having problems and Binary Lane is based in Australia. I've had this problem with 3 or 4 servers in Australia on various internet connections in the last 24 hours.

system · November 29, 2023, 7:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL connection failed for acme-v02.api.letsencrypt.org Help	8	4044	November 21, 2021
Server can't connect with client Help	3	1423	January 14, 2017
Intermittent error "104 ECONNRESET" when connecting the acme-v02.api.letsencrypt.org Help	6	1409	February 8, 2022
Curl exit status: 35 Help	5	242	August 8, 2024
Activation and renewal errors Help	15	472	November 23, 2023

Let's Encrypt Malfunctioning

Related topics