New "bad handshake" & similar errors

Hi, everyone,

As part of mitigating recent DDoS attacks, we've started to block certain abusive IP addresses at our API's upstream Content Delivery Network. If you're affected by this, your TCP connections to our API will open, then immediately close. This will usually look like a TLS handshake error. For example, from Certbot:

SSLError: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)

Other things could also cause this error, but if it just began recently, then we probably did block your IP address. This is especially likely if your connection to us passes through CGNAT, a VPN, or Tor. Feel free to tag @lestaff; we can check and remove the block for you. As our DDoS mitigation evolves, we will automatically remove blocks soon after an attack has subsided.

Thanks for your patience, everyone, and I'm sorry about the trouble. This is why the Internet can't have nice things.

13 Likes

Was this intentionally posted in "Help"?

Anyway, DDoS against Let's Encrypt, a free non-profit service... Unbelievable.

6 Likes

Yes - this info will become stale fairly soon, which is why I didn't post it in Announcements.

5 Likes

Do you have updated information on how temporary this block is? There have already been a couple posts here of people hitting this (see the threads linked at the bottom of the first post of this thread), and while I understand that a couple people having a problem out the bazillion certs successfully issued in that time is really an amazingly good track record, the error message if this block does gets hit is pretty unintuitive. Is the plan to improve the error messaging (somehow?), or make this into a broader announcement (maybe adding something to some documentation about the symptoms of this block and how to request getting removed), or to remove this blocking entirely at some point in the near future? Or is it still too soon to know when this info "will become stale" and people should just continue to be referred to this thread as needed?

Thanks for helping the Internet have nice things. :slight_smile:

3 Likes

The error message probably can't be improved, unfortunately, because of the way the blocking has to be implemented at the CDN level. But we plan to both remove the current blocks soon (~weeks) and improve documentation about symptoms in order to be ready for any future, similar blocking.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.