Openssl connect error, write:error=104

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
groton.telvuera.com
I ran this command:
openssl s_client -connect acme-v02.api.letsencrypt.org:44
It produced this output:
CONNECTED(00000003)
write:errno=104

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 295 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

My web server is (include version):
nginx/1.9.6
The operating system my web server runs on is (include version):
ubuntu 14.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):n/a

I am using acme client gem(2.0.1) for ruby, and the system works at many sites, however I have this one site that is getting the above described error trying to create an ssl connection. I found a couple posts about it, the one that looked the most similar ended with, 'well, it fails from 1 isp, but not from the other, so we're happy.'

I did wireshark the transaction, and it appeared to me that the rst was coming from lets encrypt's side. the command continues to work from other sites. Wondering where I should look to resolve.

thanks in advance,
Dan

2 Likes

I'm getting the exact same error as you when using port 44.. But when I use the correct port of 443, I can connect properly.

3 Likes

Ah, I don't know how cut and paste failed me there, I was using 443, that's a typo in the original post. here's the command and output again:
root@aio-b2000-4:~# openssl s_client -connect acme-v02.api.letsencrypt.org:443
CONNECTED(00000003)
write:errno=104

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 295 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

1 Like

Here's the wireshark I took of the transaction. it looks like the terminal IP is the one sending the RST that's hanging up?

Looks like it, yes. Which is quite strange. That's just one of the CloudFlare frontends..

And it only disconnects after the ClientHello.

Funny thing is: CloudFlare does this with any random non-functional port (ports 80 and 443 work fine from my end):

I have absolutely no idea why CloudFlare does the same with you, but then on port 443 too.. :face_with_raised_eyebrow: