Request to /directory fails once in a while

Help
1

Hello all, first of all thank you for the years of service you've provided for us.

My problem is with a new VPS we just hired. It started with renewals which didn't happend automatically. After a bit of research not only does the auto renewal fails, but doing a curl command to https://acme-v02.api.letsencrypt.org/directory fails on average 1 in 3 times. The output of the failed command is pasted below.

I've also tried it with http1.1 and tls-max 1.2 and 1.1. Same result: Once in a while the request fails with the same error (104).

Could it be we are blocked? Our IP is: 145.131.5.16

Any help is much appreciated, thanks!

My domain is:
not applicable

I ran this command:
curl -vvv https://acme-v02.api.letsencrypt.org/directory`
It produced this output:

Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Oct 31 22:31:13 2022 GMT
*  expire date: Jan 29 22:31:12 2023 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x55e47127e5c0)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.61.1
> Accept: */*
>
* OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104
* Failed receiving HTTP2 data
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* SSL_write() returned SYSCALL, errno = 32
* Failed sending HTTP2 data
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104

My web server is (include version):
not applicable

The operating system my web server runs on is (include version):
AlmaLinux release 8.6 (Sky Tiger)

My hosting provider, if applicable, is:
Argeweb (Yourhosting)

I can login to a root shell on my machine (yes or no, or I don't know):
Yes, sure.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
We are using directadmin, but I don't think it's applicable for this question

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
We are using DA built in client, but the version of DA is 1.645.

2

Welcome to the community @jarrin

If you were blocked no attempts would work.

Are you able to make consistent outbound connections to other URLs. Like:

curl -i https://cloudflare.com
5 Likes
3

Sorry, yes, forgot to mention that. Yes other sites work perfectly fine. Cloudflare, but also Google etc.

* Rebuilt URL to: https://cloudflare.com/
*   Trying 104.16.132.229...
* TCP_NODELAY set
* Connected to cloudflare.com (104.16.132.229) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare.com
*  start date: Dec 11 00:00:00 2022 GMT
*  expire date: Dec 11 23:59:59 2023 GMT
*  subjectAltName: host "cloudflare.com" matched cert's "cloudflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x561d1e6c95c0)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/2
> Host: cloudflare.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 301
< date: Tue, 27 Dec 2022 14:36:26 GMT
< location: https://www.cloudflare.com/
< cache-control: max-age=3600
< expires: Tue, 27 Dec 2022 15:36:26 GMT
< set-cookie: __cf_bm=9HtlZxFoUz12A6DeW4wnNuoruKMilXCvJqqQA5.7jqQ-1672151786-0-AaXcOBdO0h5EqTICPxtrCGS3G2pWWmI+19D6XRYPSlu3f7uAFolw6+raic6HZN0l3+JyTO+GRdtnwiYMyLp7XPQ=; path=/; expires=Tue, 27-Dec-22 15:06:26 GMT; domain=.cloudflare.com; HttpOnly; Secure; SameSite=None
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AAhHintseNl04KGRsGmqNWvH2OGlSeom08PQyJSYBoopNWKhex8YxnE4y0ypRCvC%2BiW5l9sOUpG3765Qthyo31Tpi5QAY8abffP%2F3Z6GQw9urpIz%2FN9JyPz0KyPuy79I"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15780000; includeSubDomains
< server: cloudflare
< cf-ray: 7802c9d94a8f9bd0-FRA
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
<
* Connection #0 to host cloudflare.com left intact

Just tried it 20+ times... Works fine.

And thanks for the welcome :slight_smile:

2 Likes
4

Faulty routing?
Try doing a traceroute and see how/where it differs when it fails to connect.

5 Likes
5

Thanks for the answer.

I'm not sure what you mean by doing a trace when it fails? How can I time this, because the error just shows once in a while. If you can elaborate I'll provide the output.

On another note, I've traced the error to the OpenSSL lib:

[root@....]# openssl s_client -connect acme-v02.api.letsencrypt.org:443 -debug
CONNECTED(00000003)
write to 0x55906d2b0720 [0x55906d2c7040] (326 bytes => 326 (0x146))
0000 - 16 03 01 01 41 01 00 01-3d 03 03 89 81 07 9d 3f   ....A...=......?
0010 - 3e 2f ec 92 fc fd 05 63-14 08 fb 56 d8 76 55 df   >/.....c...V.vU.
0020 - 30 bc 3f 96 20 15 f8 b5-0a b3 93 20 4a a4 f8 da   0.?. ...... J...
0030 - 27 09 b7 27 a1 ee 20 c2-b0 aa c3 ed 5b 56 44 cd   '..'.. .....[VD.
0040 - 5c ef 3f 2f 95 93 57 77-52 fe 6a d2 00 48 13 02   \.?/..WwR.j..H..
0050 - 13 03 13 01 13 04 c0 2c-c0 30 cc a9 cc a8 c0 ad   .......,.0......
0060 - c0 2b c0 2f c0 ac c0 23-c0 27 c0 0a c0 14 c0 09   .+./...#.'......
0070 - c0 13 00 9d c0 9d 00 9c-c0 9c 00 3d 00 3c 00 35   ...........=.<.5
0080 - 00 2f 00 9f cc aa c0 9f-00 9e c0 9e 00 6b 00 67   ./...........k.g
0090 - 00 39 00 33 00 ff 01 00-00 ac 00 00 00 21 00 1f   .9.3.........!..
00a0 - 00 00 1c 61 63 6d 65 2d-76 30 32 2e 61 70 69 2e   ...acme-v02.api.
00b0 - 6c 65 74 73 65 6e 63 72-79 70 74 2e 6f 72 67 00   letsencrypt.org.
00c0 - 0b 00 04 03 00 01 02 00-0a 00 0c 00 0a 00 1d 00   ................
00d0 - 17 00 1e 00 19 00 18 00-23 00 00 00 16 00 00 00   ........#.......
00e0 - 17 00 00 00 0d 00 26 00-24 04 03 05 03 06 03 08   ......&.$.......
00f0 - 07 08 08 08 09 08 04 08-0a 08 05 08 0b 08 06 04   ................
0100 - 01 05 01 06 01 03 03 03-01 02 03 02 01 00 2b 00   ..............+.
0110 - 05 04 03 04 03 03 00 2d-00 02 01 01 00 33 00 26   .......-.....3.&
0120 - 00 24 00 1d 00 20 fc ba-8a 42 f1 f2 c6 20 9a ce   .$... ...B... ..
0130 - 64 1a bd 3b b7 00 e0 a0-36 40 97 88 55 94 98 8d   d..;....6@..U...
0140 - f2 13 f7 a7 ec 7b                                 .....{
read from 0x55906d2b0720 [0x55906d2bde23] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 7a                                    ....z
read from 0x55906d2b0720 [0x55906d2bde28] (122 bytes => 122 (0x7A))
0000 - 02 00 00 76 03 03 90 4e-74 97 90 65 95 98 5a bd   ...v...Nt..e..Z.
0010 - 81 58 54 46 20 65 2a 8e-05 79 0d e0 45 59 41 d8   .XTF e*..y..EYA.
0020 - e2 38 64 a2 b2 b7 20 4a-a4 f8 da 27 09 b7 27 a1   .8d... J...'..'.
0030 - ee 20 c2 b0 aa c3 ed 5b-56 44 cd 5c ef 3f 2f 95   . .....[VD.\.?/.
0040 - 93 57 77 52 fe 6a d2 13-02 00 00 2e 00 2b 00 02   .WwR.j.......+..
0050 - 03 04 00 33 00 24 00 1d-00 20 35 47 46 a9 4b 2e   ...3.$... 5GF.K.
0060 - 00 bb f7 39 e6 b5 ae 7d-9b af 14 43 ff fb da fa   ...9...}...C....
0070 - 82 9a 1d b4 48 d6 56 33-49 7f                     ....H.V3I.
read from 0x55906d2b0720 [0x55906d2bde23] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01                                    .....
read from 0x55906d2b0720 [0x55906d2bde28] (1 bytes => 1 (0x1))
0000 - 01                                                .
read from 0x55906d2b0720 [0x55906d2bde23] (5 bytes => 5 (0x5))
0000 - 17 03 03 00 1b                                    .....
read from 0x55906d2b0720 [0x55906d2bde28] (27 bytes => 27 (0x1B))
0000 - fd 7b 22 29 65 64 a3 5e-06 b5 86 10 d4 1a 80 b1   .{")ed.^........
0010 - 55 6f 4a 63 c9 32 26 59-44 69 7f                  UoJc.2&YDi.
read from 0x55906d2b0720 [0x55906d2bde23] (5 bytes => 5 (0x5))
0000 - 17 03 03 0b 3c                                    ....<
read from 0x55906d2b0720 [0x55906d2bde28] (2876 bytes => 2876 (0xB3C))
0000 - ac 5d fc 35 6f 52 fd ce-7d ee b3 b8 59 48 46 f7   .].5oR..}...YHF.
0010 - ce c1 05 7b 9a 45 b1 4f-1d 80 1f 51 cd 61 6a e9   ...{.E.O...Q.aj.
0020 - 6c c3 ad 3b 16 db 06 e5-f8 8b 34 20 71 74 4b 7d   l..;......4 qtK}
0030 - 35 24 3b 48 da ac 77 bc-ad 63 03 00 ca 8a 63 e1   5$;H..w..c....c.
0040 - 4d 12 2b c1 d0 07 d7 5a-59 9b 39 27 c4 62 9a 56   M.+....ZY.9'.b.V
0050 - dd 13 4a 7e e6 d0 94 59-c3 3e 1f 04 87 be 9f 1f   ..J~...Y.>......
0060 - 12 75 c1 9c 32 68 1c 40-30 b2 25 27 45 69 14 b9   .u..2h.@0.%'Ei..
0070 - b2 7b 94 3d ad 5a f7 98-6d 50 3a 73 91 6f 40 b3   .{.=.Z..mP:s.o@.
0080 - f9 9e 2d 97 45 98 59 89-2a 5f 3c 68 b5 3c 2d 31   ..-.E.Y.*_<h.<-1
0090 - cc 1b 39 a2 66 56 19 90-76 bc 95 36 9b 50 ec 94   ..9.fV..v..6.P..
00a0 - 51 66 ab b0 af 13 4a cb-e2 75 d6 bd c7 c3 5a a3   Qf....J..u....Z.
00b0 - 9e 6b 95 a4 8b 3b f3 a8-8d fc d4 a2 51 38 a4 be   .k...;......Q8..
00c0 - d0 0e 22 86 c6 2f 83 d7-c1 62 a1 e8 04 24 39 32   .."../...b...$92
00d0 - 58 b2 68 3f 33 66 83 f4-cf e4 f4 3f 57 91 d9 6b   X.h?3f.....?W..k
00e0 - 0e 61 f1 84 1d 2a 30 45-8b e5 5a 25 d6 86 c4 da   .a...*0E..Z%....
00f0 - 06 cb fe a3 78 0b 16 48-80 6e 38 0d 87 6a 54 68   ....x..H.n8..jTh
0100 - eb 56 78 cf bb c5 5a d7-89 a0 f7 d9 07 d9 56 3e   .Vx...Z.......V>
0110 - e9 a9 6f a9 95 7d 4b 3d-bb 25 3b 82 72 1c 6d d8   ..o..}K=.%;.r.m.
0120 - cc 2a e8 b4 7e 7b 78 f3-e6 11 9b 92 f9 33 71 14   .*..~{x......3q.
0130 - cb 2f 83 9e 4b f9 80 b4-de 89 96 a8 e1 07 90 13   ./..K...........
0140 - 74 d2 aa 34 bc 0e 4c 3f-fc 5c bd 58 16 38 5d 50   t..4..L?.\.X.8]P
0150 - 89 39 e5 50 81 4e cb 5c-c2 a6 37 34 4f 64 3a 19   .9.P.N.\..74Od:.
0160 - 68 99 2c 9b 6f 9a 08 c9-d1 38 17 6a c2 82 74 a7   h.,.o....8.j..t.
0170 - 77 4d 03 c6 fe f1 71 89-4f 07 ff 35 e7 88 7a 28   wM....q.O..5..z(
0180 - 2a f9 0e a2 78 73 03 0a-cc 1e 56 24 66 23 2f 30   *...xs....V$f#/0
0190 - 23 57 ed a2 6c 71 0c ff-06 78 74 29 92 e1 4e 64   #W..lq...xt)..Nd
01a0 - 4c 5a c7 d8 d8 f3 65 4b-2f e6 de 9c 56 3d 5e e5   LZ....eK/...V=^.
01b0 - e0 57 65 aa ea 11 74 21-60 97 13 49 47 7a 76 3d   .We...t!`..IGzv=
01c0 - 6c 96 28 dc 00 bd d6 cd-fb 08 8d 82 49 0a d6 3e   l.(.........I..>
01d0 - bc 6f 8b 21 ca a3 bf 64-7b 9e ca 70 28 92 14 94   .o.!...d{..p(...
01e0 - 8d 50 5f 0e ce 7c 82 d4-5c 21 3d b6 00 13 3c 34   .P_..|..\!=...<4
01f0 - c2 c4 d7 bc cb 98 6c 67-16 26 26 e9 12 b6 06 f3   ......lg.&&.....
0200 - eb 57 8e 2e d2 f1 c7 ae-af 6a af e6 07 68 46 c4   .W.......j...hF.
0210 - 43 36 af 6a 65 95 b2 c5-f7 7d 20 a6 2a cb 72 6e   C6.je....} .*.rn
0220 - 17 17 86 e1 90 80 0e 56-e2 dc 80 bd 36 e5 35 fe   .......V....6.5.
0230 - a2 1e d9 3a 9a c1 0a 13-a1 12 6a 25 b9 8b 40 69   ...:......j%..@i
0240 - e0 5f 4b 9f ce 46 b8 ab-1c 52 76 3e 5e 55 0a 58   ._K..F...Rv>^U.X
0250 - 14 4e 18 e0 a0 2a 21 46-79 32 9e d1 17 7c 7d fd   .N...*!Fy2...|}.
0260 - 88 ee b4 95 c0 f5 e6 b0-ec e1 83 6b 37 47 44 e4   ...........k7GD.
0270 - ed 3c b9 00 a4 99 01 da-31 82 34 aa 16 48 52 07   .<......1.4..HR.
0280 - 65 5a af f5 8c 6a 2c d0-de d4 ce 1a c6 f7 04 b5   eZ...j,.........
0290 - b4 5c f6 17 b0 ac 94 b4-ad 09 41 81 26 ae 45 9f   .\........A.&.E.
02a0 - 1d 2a 99 c0 ae a1 18 72-eb 88 11 a6 5e 09 bb d2   .*.....r....^...
02b0 - 03 bc 14 cf 99 03 e7 af-eb 29 9d 2f bc 80 d0 98   .........)./....
02c0 - 6b 93 79 25 a3 26 4c 2f-15 26 4e 6a a3 7d c4 71   k.y%.&L/.&Nj.}.q
02d0 - fe e6 c8 ab 98 89 e8 e0-f4 43 de 51 78 0d 08 74   .........C.Qx..t
02e0 - c5 d2 d4 59 f8 d8 33 33-6e 0a bb 30 be 6c 1c a3   ...Y..33n..0.l..
02f0 - c9 33 df 7f 2c 62 b3 67-4b c3 46 57 69 af 6b ab   .3..,b.gK.FWi.k.
0300 - 54 cb d8 8d da 9e 53 06-a6 13 3c ce 54 a7 09 a7   T.....S...<.T...
0310 - 14 b3 4d 47 c1 14 45 71-9c 12 65 6c fc 7f a7 5e   ..MG..Eq..el...^
0320 - 0d 05 1c 59 db e3 02 d3-81 af 01 be 92 8f 5d 5f   ...Y..........]_
0330 - 78 44 21 01 81 c7 a5 49-29 ba 8a ab 3c 30 54 af   xD!....I)...<0T.
0340 - fa 47 6f 6f 04 ca 56 57-a1 5b b0 5b ae a0 95 f5   .Goo..VW.[.[....
0350 - 8b 6a cb e0 90 c9 66 41-30 64 95 78 c8 3f ea 67   .j....fA0d.x.?.g
0360 - 5a 13 5c c1 83 0e d0 b5-b2 c1 8d 53 04 1b 1b a3   Z.\........S....
0370 - bb 3f 3b 15 97 d2 f6 d5-6e 39 35 46 8e e7 90 be   .?;.....n95F....
0380 - 72 fd 91 8b f4 23 fe 56-cd 27 f3 17 ab da 10 2e   r....#.V.'......
0390 - fb 46 1e 2a e5 1e 57 0d-db b6 bf 73 7a 00 89 47   .F.*..W....sz..G
03a0 - 81 c4 dd 90 eb b0 c6 7e-e1 ed 17 13 50 50 5f 43   .......~....PP_C
03b0 - eb 6a 8a 7d 72 6d 9d ce-74 12 4d ba a3 e5 3e 6e   .j.}rm..t.M...>n
03c0 - 50 62 b3 34 d2 44 64 c0-fe ef 0c 6c 62 77 6a 26   Pb.4.Dd....lbwj&
03d0 - 69 ee 70 12 25 47 17 ef-96 a3 f7 67 aa a3 12 57   i.p.%G.....g...W
03e0 - 23 51 2a 3c 1a 78 e9 64-d3 b2 7a 70 55 0b 0c 5a   #Q*<.x.d..zpU..Z
03f0 - 37 9e 51 04 da cb 90 d7-de 55 87 af ac f3 18 3c   7.Q......U.....<
0400 - ef 62 67 76 39 52 6d e1-7d a9 2c 76 7e 84 bc 3a   .bgv9Rm.}.,v~..:
0410 - 85 af 79 db 21 a6 f0 a7-77 8e 12 64 25 ba e9 b9   ..y.!...w..d%...
0420 - 6a 0e 00 d3 12 f6 7f dc-3e 15 87 ba d5 41 3e 58   j.......>....A>X
0430 - 32 ff 59 bd 17 10 47 19-91 53 04 ee ea 32 22 bf   2.Y...G..S...2".
0440 - 22 56 1a 72 1e 94 c6 76-2d 73 31 8c 65 22 0e f2   "V.r...v-s1.e"..
0450 - ff 3d dc 2a bb 6c 9d 58-ad 51 4a 0d 3a 28 d2 03   .=.*.l.X.QJ.:(..
0460 - a6 f9 94 0f a8 ca bb ec-d5 ff 5b 5e 80 dc d1 f3   ..........[^....
0470 - 96 c1 9a 6d 85 0f 14 e6-8d b4 60 d8 04 d8 fd 9f   ...m......`.....
0480 - 5d d7 93 95 c6 bb 8d 4d-2a 6f bd fa 9f 99 70 01   ]......M*o....p.
0490 - 58 36 7e 7f cd 1d 23 88-af 28 56 e0 83 9f 36 52   X6~...#..(V...6R
04a0 - 39 52 81 db ba 8e 8a 3e-39 c0 5c ff 89 6e 68 1c   9R.....>9.\..nh.
04b0 - 5c e6 f7 14 39 df 7e 1e-7d fa 97 76 68 42 fc 75   \...9.~.}..vhB.u
04c0 - db 71 f9 59 b7 d1 3e f1-b8 bd f2 3b d2 02 31 d5   .q.Y..>....;..1.
04d0 - 38 84 45 f7 dd 6e 30 e5-b2 50 91 bb 46 ef 33 ab   8.E..n0..P..F.3.
04e0 - 92 f2 c9 c0 b2 ea 2c d8-96 27 cf 8e 1d 9d 4d ab   ......,..'....M.
04f0 - 06 85 09 13 de b7 49 1a-c7 39 cb a3 76 98 63 6b   ......I..9..v.ck
0500 - fd 2d 3f 9a c9 b6 35 06-8e 0f 84 07 bb a5 95 85   .-?...5.........
0510 - 7a 4e 04 0d 4e 01 36 0d-a1 0b e1 a1 95 5f d0 d1   zN..N.6......_..
0520 - 5f 0a 31 b8 c8 89 d3 0c-90 08 21 fc 69 65 4d fe   _.1.......!.ieM.
0530 - ab 62 7a 3f 0c 3c 0c 90-f3 67 a2 f1 51 e2 dc 34   .bz?.<...g..Q..4
0540 - cf 0f a3 5b e8 53 dc f9-1b 5f d6 ee 70 eb d9 4b   ...[.S..._..p..K
0550 - f7 20 e7 dd fa 56 1e f8-64 d0 22 90 25 b4 bb 55   . ...V..d.".%..U
0560 - ac bf b5 45 dd 6f 92 0c-3a c2 ed be 55 fa 35 12   ...E.o..:...U.5.
0570 - d5 7f 39 c4 8a 1b ef 0e-89 0b dc d9 79 8b 27 4c   ..9.........y.'L
0580 - b9 be db d8 fa dd e9 31-61 50 5a e5 b1 c6 87 f4   .......1aPZ.....
0590 - 04 b3 e6 08 87 91 d1 24-9e 24 49 b4 bc 6f 05 38   .......$.$I..o.8
05a0 - ba c7 4e 76 b9 5f e6 40-f7 9a c3 5d 99 38 02 bd   ..Nv._.@...].8..
05b0 - 7b 91 46 79 37 0c f6 b9-d7 c9 b1 f1 46 cc 5a d7   {.Fy7.......F.Z.
05c0 - 95 f3 35 c1 13 1a 47 d4-a8 ab 4e 3e 18 9b 28 75   ..5...G...N>..(u
05d0 - 3e 2a 95 ba 5b f3 9d a6-61 7e b5 d2 3d 27 de 45   >*..[...a~..='.E
05e0 - b4 a5 f4 c3 1f 0d e4 0e-07 4d e2 e9 e4 55 3b da   .........M...U;.
05f0 - f0 ed 55 59 bf 0d d5 7e-81 82 fc 70 7e d6 45 97   ..UY...~...p~.E.
0600 - 80 5f c6 9d e8 7c 8e 00-aa b9 bc cf 51 57 0c a6   ._...|......QW..
0610 - ab 9d bf ef 17 32 d7 de-47 42 56 d4 ed e2 90 4c   .....2..GBV....L
0620 - ee ff 84 63 07 3a 5d c4-91 1f f0 79 76 b8 79 f6   ...c.:]....yv.y.
0630 - bd 08 d7 a6 ac 8a d4 41-8e 8e 6f ae b6 24 2b 92   .......A..o..$+.
0640 - b0 a1 e9 a6 61 b0 67 c3-63 3a 25 75 79 7c f2 9c   ....a.g.c:%uy|..
0650 - 8e 7e 41 56 d1 78 12 9f-55 66 b4 90 21 3b 30 88   .~AV.x..Uf..!;0.
0660 - 29 d9 31 8f f7 2d 0b 9f-2a f1 c9 19 b3 e0 32 90   ).1..-..*.....2.
0670 - d8 57 5c c1 26 3f ab f3-d5 26 7e 2d b7 b9 8c 0e   .W\.&?...&~-....
0680 - 59 9d 02 cc f1 09 03 99-6c 0d 28 37 aa a3 cf 9b   Y.......l.(7....
0690 - 5d 2a 1f 01 67 f8 3d 07-d6 e7 4c f4 9e ea 06 e3   ]*..g.=...L.....
06a0 - 89 cb a2 20 17 0e a5 bb-b6 10 a3 0d 2f 64 42 c3   ... ......../dB.
06b0 - a7 ec 86 9e 3a ec bd c5-a0 92 bb 57 f5 44 b4 1a   ....:......W.D..
06c0 - 22 b8 c6 9c fe f7 7d d1-3f 73 c0 ac 4f be 5a a4   ".....}.?s..O.Z.
06d0 - 8e 2d 23 be 9f 89 fc 31-ff 64 2c 72 e7 ff 0f 9e   .-#....1.d,r....
06e0 - 05 05 03 7b a5 9c b0 9e-6b ed 07 db 91 51 66 2f   ...{....k....Qf/
06f0 - a4 46 0c 7f e2 70 b4 c3-14 6c 45 d9 09 d4 fb 8c   .F...p...lE.....
0700 - bb 8e 8b da 5a b8 f6 af-80 a7 a2 55 44 58 80 fb   ....Z......UDX..
0710 - 7a 62 5a 91 88 6b 10 b2-61 16 1e a4 9d d4 20 97   zbZ..k..a..... .
0720 - 20 b6 76 98 f5 f1 f2 f4-ed ce e1 ea e5 8b 28 51    .v...........(Q
0730 - 09 f9 93 fe 8a 9b d6 df-60 ae 3c f7 e4 c2 7f 90   ........`.<.....
0740 - bf 59 e0 48 11 af 7c d9-b5 33 d4 17 76 6a 35 8e   .Y.H..|..3..vj5.
0750 - 5e 70 d3 53 0b 5d b3 ab-b0 11 e6 a3 01 c9 1b f6   ^p.S.]..........
0760 - 9d f1 1d 94 97 c0 4b 7b-0f 63 4a 7c f9 d2 22 9a   ......K{.cJ|..".
0770 - a0 80 83 03 fe 7e 9a 0b-31 01 9c ef b6 4f f9 d7   .....~..1....O..
0780 - 19 20 61 6c ec ac 2f a1-7a 11 ec 1c f0 be bd a7   . al../.z.......
0790 - de a9 a1 bf 1d e1 75 03-3a ff be 5b 07 91 0c fc   ......u.:..[....
07a0 - e2 9d 1d 6e c7 1d db ff-ca 3b 8a f7 5a 14 39 b7   ...n.....;..Z.9.
07b0 - 0d 29 c3 6e 38 1b fb 9d-25 4e 5d 1c 95 cd 0c 00   .).n8...%N].....
07c0 - c1 ee 92 b7 5b 39 55 c1-2b 7e 35 ab 4b 2c 31 b6   ....[9U.+~5.K,1.
07d0 - 63 68 46 7a 2d 27 df 35-c5 8b 2d e6 16 b2 88 75   chFz-'.5..-....u
07e0 - d0 7d bd 25 05 79 b1 6f-49 09 d1 77 fa c1 60 d9   .}.%.y.oI..w..`.
07f0 - fd 9c 5b 28 1d 10 f1 e8-f5 21 8d e4 ee 7f 46 e0   ..[(.....!....F.
0800 - 5c 33 f6 3f 7a df 88 a1-b8 7b c5 fc a2 1b 8d f1   \3.?z....{......
0810 - 93 76 d6 4f 91 04 7d 2c-c7 d1 9e c3 28 20 d0 16   .v.O..},....( ..
0820 - 26 9b d1 29 76 85 a6 4b-15 d0 d6 f7 0d 36 b4 a4   &..)v..K.....6..
0830 - a0 46 a8 24 96 e9 a4 cb-c0 41 ec e8 1f e0 eb d5   .F.$.....A......
0840 - cd ee e6 36 b2 95 55 fd-57 63 98 d9 e9 24 db 62   ...6..U.Wc...$.b
0850 - 9b 69 ca 8b ac b6 01 d8-88 50 06 55 fb 53 ac 58   .i.......P.U.S.X
0860 - 73 b5 d6 9c ea 94 b9 85-1d 58 47 e9 dd e4 da 00   s........XG.....
0870 - b4 48 be e7 8f 75 6d e3-fc fc d9 dd d5 92 73 19   .H...um.......s.
0880 - 02 05 a7 3c a1 22 00 46-91 d0 d6 a4 1b 8c ea cc   ...<.".F........
0890 - ba f2 41 fc 1b 2b f1 8e-26 33 85 46 a5 48 9b 1b   ..A..+..&3.F.H..
08a0 - eb 27 7a 07 30 5f 6c 84-e2 6c d6 78 6f 51 df f3   .'z.0_l..l.xoQ..
08b0 - c7 7f 03 75 63 79 23 6d-36 0c b6 03 19 27 ae c6   ...ucy#m6....'..
08c0 - 32 03 5a 0f 76 b5 d0 d0-e8 d6 80 66 fd 3d 28 e3   2.Z.v......f.=(.
08d0 - 55 cb 9a 35 34 1a 1e 8e-93 ee 21 ad ee ef 03 e4   U..54.....!.....
08e0 - 0e 85 1f 34 c2 8f f6 3e-3e 52 84 87 8c 46 fe 25   ...4...>>R...F.%
08f0 - 41 5d c5 9a dc 7e 71 b8-75 1f dd cf 8b 73 d7 d9   A]...~q.u....s..
0900 - 02 19 ef 28 0e ad 19 01-e9 c6 08 96 93 fb ee dc   ...(............
0910 - 5f 8d 99 6b 33 41 9b d3-23 50 08 6e 4b 03 15 be   _..k3A..#P.nK...
0920 - 0f fb 54 a2 ab 6a d5 57-77 85 f1 77 33 64 cd 03   ..T..j.Ww..w3d..
0930 - ca 3a c1 6e d5 38 90 f7-ed 70 99 96 0b 01 5c e8   .:.n.8...p....\.
0940 - ce f0 df 60 c6 28 21 bf-c4 40 27 f7 4a c7 de c5   ...`.(!..@'.J...
0950 - 69 2b 1f 21 dd b9 2a ee-a0 31 5b ec cd 74 7f 57   i+.!..*..1[..t.W
0960 - 5b 18 d1 13 fa 79 c0 41-b1 c3 51 91 d9 1a 3a 78   [....y.A..Q...:x
0970 - 50 ac 78 1d 51 2b 5e 69-2b 58 37 ac 87 24 af a6   P.x.Q+^i+X7..$..
0980 - f6 35 2f 6d d7 a0 b9 d8-4d ca b5 4a 56 d3 4a 4e   .5/m....M..JV.JN
0990 - a3 d9 3d 34 0d c0 83 02-3d e7 c1 b5 46 b8 c5 55   ..=4....=...F..U
09a0 - f9 4a da fb ce bc ff d9-1f c3 21 6f 3e e1 14 37   .J........!o>..7
09b0 - 89 6a ae 79 00 17 07 ea-7a c1 8a 6d 15 aa cb ac   .j.y....z..m....
09c0 - 6d e8 d0 1e 4c 21 87 a4-34 96 93 0d 69 c5 ae 36   m...L!..4...i..6
09d0 - 1d 96 69 4b 90 1e 9a d9-18 28 16 d1 50 8f 45 99   ..iK.....(..P.E.
09e0 - 9e 35 f8 92 2d 0f fc 4b-a7 4e b0 f1 84 51 28 39   .5..-..K.N...Q(9
09f0 - 7b b5 38 08 b8 a3 a5 5b-5f df 8e ed c9 e1 72 e6   {.8....[_.....r.
0a00 - 7f 75 c3 a8 2d 74 87 02-7e b5 fc 88 99 b3 5a e4   .u..-t..~.....Z.
0a10 - 7e 94 ec 9b 93 75 92 04-45 d9 11 29 3f 30 65 b9   ~....u..E..)?0e.
0a20 - 4f f9 4e e6 de 8e 34 0a-51 4d 25 d4 44 12 f1 3b   O.N...4.QM%.D..;
0a30 - cd 03 22 79 a3 66 e8 0f-64 45 bd 36 f3 ac 19 37   .."y.f..dE.6...7
0a40 - 16 7f d5 d7 f8 07 77 32-a3 3f a0 a9 2f 02 e1 ea   ......w2.?../...
0a50 - c0 9e f0 c4 12 21 c3 c5-06 0b b7 29 dc 6a 45 90   .....!.....).jE.
0a60 - bf 29 0e 95 1b 86 cd 70-28 eb 24 d9 98 a1 44 84   .).....p(.$...D.
0a70 - a0 b2 2f 4c 24 13 67 5e-29 be 8a 53 7f ac 1a 34   ../L$.g^)..S...4
0a80 - d7 5e f2 15 2c c9 3c 25-39 6d 68 d2 44 c8 41 5e   .^..,.<%9mh.D.A^
0a90 - 6f 7e ab eb 52 21 9b 15-3e 9b e8 90 3d 55 73 dd   o~..R!..>...=Us.
0aa0 - 48 3f 19 bc e8 e0 f2 7f-cd c1 1b e8 14 0e 1b fe   H?..............
0ab0 - 66 24 e7 66 6f a7 56 10-2c ff c8 a1 1f d8 d3 14   f$.fo.V.,.......
0ac0 - e3 8a dc de 5b 78 45 2e-62 c5 6c 87 4f 31 c3 40   ....[xE.b.l.O1.@
0ad0 - c3 c3 d5 54 69 d9 d6 c8-a7 0d 00 ef d4 66 12 6e   ...Ti........f.n
0ae0 - 2e a8 45 f4 41 5f 75 3d-90 4f b8 80 33 0b 9c 9d   ..E.A_u=.O..3...
0af0 - 0b b8 62 af b2 27 b1 35-c9 eb fa 57 9c 6a 71 7b   ..b..'.5...W.jq{
0b00 - ff 83 65 17 29 e4 cd 8d-d5 f6 66 dd 9d 84 9f 34   ..e.).....f....4
0b10 - c4 61 7c ed 66 ce 84 dd-ed 0b 35 b4 0d e0 f1 d1   .a|.f.....5.....
0b20 - 85 e8 1f e0 1c 91 4b a9-ea ad 6f f3 43 eb dc 20   ......K...o.C..
0b30 - 3e a7 5a e9 f6 12 31 05-4c 24 4f dd               >.Z...1.L$O.
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
read from 0x55906d2b0720 [0x55906d2bde23] (5 bytes => 5 (0x5))
0000 - 17 03 03 01 19                                    .....
read from 0x55906d2b0720 [0x55906d2bde28] (281 bytes => 281 (0x119))
0000 - 75 b9 96 85 76 ae e3 08-43 86 4b 66 95 e8 71 bd   u...v...C.Kf..q.
0010 - 23 e8 3c ba 64 4d 36 71-7d 6a 94 06 1f 06 b9 ad   #.<.dM6q}j......
0020 - e3 22 f9 6f 5d 23 fe 13-79 d0 c4 0d c2 6c d0 72   .".o]#..y....l.r
0030 - a3 08 d4 d6 2b 88 c8 1f-a1 93 b0 52 d2 c5 83 d8   ....+......R....
0040 - a3 80 4c a0 6a d9 49 32-e4 45 f4 dc c1 ae 7f e2   ..L.j.I2.E......
0050 - c3 47 77 35 2f 93 9c 5c-58 2b 66 25 11 74 e2 2b   .Gw5/..\X+f%.t.+
0060 - 2c 16 5b 9f b4 b3 d7 94-36 45 74 8d d8 c4 b2 55   ,.[.....6Et....U
0070 - 1c d8 d9 15 56 17 b7 62-97 d0 ed 8c 39 c5 6e 62   ....V..b....9.nb
0080 - 12 a7 13 8e 88 09 9a 3d-63 8a de 96 23 5b cc 78   .......=c...#[.x
0090 - 2b 97 fe 78 24 78 b5 9c-52 99 86 7c df 1a c6 ea   +..x$x..R..|....
00a0 - c9 9e 3e 72 45 9c 91 bf-c1 1f bb 9c cd 5f c6 56   ..>rE........_.V
00b0 - be ac a3 de 84 ab a9 86-bb 0c 2e 6c 32 35 d3 ca   ...........l25..
00c0 - f6 73 a3 f6 7a a1 3d ec-61 3c c1 8f e6 36 13 a9   .s..z.=.a<...6..
00d0 - b4 ed ba b0 12 dc 76 83-96 ad d4 c1 1a b6 9c 1b   ......v.........
00e0 - c2 2c 9f 9b 47 5a 89 6f-43 49 82 12 4b 45 35 75   .,..GZ.oCI..KE5u
00f0 - d6 03 cf 32 37 08 ce 40-4b 99 96 f4 52 55 05 1f   ...27..@K...RU..
0100 - e2 a1 ae 43 a1 cc 64 87-31 22 81 7e c1 c6 f0 8c   ...C..d.1".~....
0110 - f1 66 b7 4c b2 3f 4d 7f-d4                        .f.L.?M..
read from 0x55906d2b0720 [0x55906d2bde23] (5 bytes => 5 (0x5))
0000 - 17 03 03 00 45                                    ....E
read from 0x55906d2b0720 [0x55906d2bde28] (69 bytes => 69 (0x45))
0000 - ae 56 a1 8d 4d a9 67 c5-e3 b5 d7 b7 2d a9 23 b6   .V..M.g.....-.#.
0010 - ed 2e e3 70 53 a1 df 70-e1 a3 38 07 57 04 a1 19   ...pS..p..8.W...
0020 - 3c 99 a9 47 66 83 6b 6c-a7 07 e2 58 1a 7a be 9b   <..Gf.kl...X.z..
0030 - fa b2 ea df 4f ba 56 ca-7c 83 b2 8d 07 ac 6f 34   ....O.V.|.....o4
0040 - 8c f6 49 1f ad                                    ..I..
write to 0x55906d2b0720 [0x55906d2c7040] (80 bytes => 80 (0x50))
0000 - 14 03 03 00 01 01 17 03-03 00 45 2c 81 f1 c9 11   ..........E,....
0010 - 64 ae 25 42 cb 56 58 a3-49 9f b8 4b f2 1f 7b 5b   d.%B.VX.I..K..{[
0020 - 24 62 c7 ee 4f 45 4d 94-4c 79 0f 27 1b aa c3 46   $b..OEM.Ly.'...F
0030 - c8 6b d2 73 e7 b9 6c 82-7e f2 d5 bc 33 dd 74 41   .k.s..l.~...3.tA
0040 - e2 02 12 9d 6d c1 22 5e-5b 9d 94 d5 d9 95 0b 40   ....m."^[......@
---
Certificate chain
 0 s:CN = acme-v02.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF+zCCBOOgAwIBAgISBFiVhHttv/++Bes80snhci0KMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjEwMzExODQ1MThaFw0yMzAxMjkxODQ1MTdaMCcxJTAjBgNVBAMT
HGFjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDdpt3GekEHsfOkIavnUdQ4/RFJF+Ht/ZcoEnHjv4JqBM7M
sdd7LdtzkeSj+n00zEMr5oFmX3UtxX66lmSinFblXQwuErhxdiV4aHRKIVJcCMjD
CkLoeJI8aPlSXkPloYPi4K3sEoh+GwDlanRWDgSJzzoyDwS2ejmJTXjDGz6XpuXS
baLtGlmgKfROKIdr5VVAgEXZ6jKkg2rTaVacwrgxt3NfRYnCx+QV0NWjm3p6kqWv
Li+qmQI7kKHPWwm1fLOGm6xRhJe4ESzc23iJWGwKo52POOENlSDoVORxETpye7FJ
UhFABvlY9ApziyGjXW8cEWwqPcr0We7MkikXUAdBAgMBAAGjggMUMIIDEDAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFBn3um9TszdqLfZChmXPFLvkPCBvMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIHjBgNVHREEgdswgdiCHmFjbWUtdjAyLTEuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jngh5h
Y21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jnghxh
Y21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnghhpbmNpZGVudC5sZXRzZW5jcnlw
dC5vcmcwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggr
BgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5
AgQCBIH1BIHyAPAAdQB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAA
AYQvk66cAAAEAwBGMEQCIDZwSLxpv33CkLx4JkXCbX/mr8tgIvftRNLaL2a1C8hc
AiBt5xAoMJuj+CUf8seRS+DacS2ITmX/TCPJ7EkylFKFaQB3AOg+0No+9QY1MudX
KLyJa8kD08vREWvs62nhd31tBr1uAAABhC+TrmEAAAQDAEgwRgIhAKZr4ugaizx6
M7M//Q/vMVDN7thVLiLR3EPVWWEf3SAGAiEAyBzijuL6vt7a1IKPjSpAyB0NbTC7
MwI4U4wZZPhgpDwwDQYJKoZIhvcNAQELBQADggEBAGM98wfVOqm4wCnRwcYn0ZH/
AKBxgrp9rNIv1VUT5JOHxrySxxIVawTHYrbR34gdnJyoz/VR/O2KAZ+hWGwvAcxa
4dHuuJyUhYBKYxCMRBeLKKIizBb4Hrendacn4/OlOOlVaXdyqTCqll0IUkdiidHu
FqPgyOPvd+ANHsThfkQ9U2m8Znr5tjvlHmBAnh+JafE3M39vLtuhwHKBXP+un6AP
FbMs1KA9cnAJ9fE8D5vvq8/906Ykf4jT0RDVByJUQbXgmYftZ+77iRLqCd0KEt9x
2n8excG8D9j2dlQubNrvUkOon41NbDwraNXfPdbsd+igWOyDGg30r9QGG24tWC0=
-----END CERTIFICATE-----
subject=CN = acme-v02.api.letsencrypt.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3406 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x55906d2b0720 [0x55906d2bde23] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
read:errno=104
write to 0x55906d2b0720 [0x55906d2c1f73] (24 bytes => -1 (0xFFFFFFFFFFFFFFFF))
read from 0x55906d2b0720 [0x55906d1eabd0] (8192 bytes => 0 (0x0))
1 Like
6

Since there is no way to know when it fails, it is difficult to give advice on how to capture it exactly then.
If it does persist, OR if you run a script to do a test ping and when there is no reply..., it can do a traceroute and save that output to a file.
If left running long enough it should show where things went wrong.
IF this is indeed a routing issue - it may be something else.

4 Likes
7

The TLS handshake is fine, the problem appears to be that some network equipment between you and LE kills of the TCP connection with a TCP reset just after the handshake is complete. This may be a firewall, a faulty router or switch or something else that is interfering with the connection.

7 Likes
8

That's my thinking too. But I'd like to rule out a blacklist/blocking problem, can the staff confirm our IP isn't being blocked? (145.131.5.16). I agree that's probably not the case, but this makes the discussion with our ISP a bit easier.

At the moment I've got one case that fails consistently.

I'm using the letsencrypt.sh file which DirectAdmin provides:

./letsencrypt.sh renew st*chtingveteranenziekte.nl
2022/12/28 13:47:06 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": write tcp 145.131.5.16:46482->172.65.32.248:443: write: connection reset by peer
Certificate generation failed.

OR

 ./letsencrypt.sh renew st*chtingveteranenziekte.nl
2022/12/28 13:53:57 [INFO] [l*gionella-uitbraak.nl, l*gionellaforum.nl, l*gionellaziekte.com, l*gionellaziekte.nl, l*gionnairesdisease.nl, st*chtingveteranenziekte.nl, s*vz.nl, v*teranenziekte.com, v*teranenziekte.info, www.l*gionella-uitbraak.nl, www.l*gionellaforum.nl, www.l*gionellaziekte.com, www.l*gionellaziekte.nl, www.l*gionnairesdisease.nl, www.st*chtingveteranenziekte.nl, www.s*vz.nl, www.v*teranenziekte.com, www.v*teranenziekte.info] acme: Obtaining SAN certificate
2022/12/28 13:53:59 [INFO] [l*gionella-uitbraak.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505957
2022/12/28 13:53:59 [INFO] [l*gionellaforum.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505967
2022/12/28 13:53:59 [INFO] [l*gionellaziekte.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505977
2022/12/28 13:53:59 [INFO] [l*gionellaziekte.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505987
2022/12/28 13:53:59 [INFO] [l*gionnairesdisease.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505997
2022/12/28 13:53:59 [INFO] [st*chtingveteranenziekte.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506007
2022/12/28 13:53:59 [INFO] [st*z.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506017
2022/12/28 13:53:59 [INFO] [v*teranenziekte.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506027
2022/12/28 13:53:59 [INFO] [v*teranenziekte.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506037
2022/12/28 13:53:59 [INFO] [www.l*gionella-uitbraak.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506047
2022/12/28 13:53:59 [INFO] [www.l*gionellaforum.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506057
2022/12/28 13:53:59 [INFO] [www.l*gionellaziekte.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506067
2022/12/28 13:53:59 [INFO] [www.l*gionellaziekte.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506077
2022/12/28 13:53:59 [INFO] [www.l*gionnairesdisease.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506087
2022/12/28 13:53:59 [INFO] [www.st*chtingveteranenziekte.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506097
2022/12/28 13:53:59 [INFO] [www.s*vz.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506107
2022/12/28 13:53:59 [INFO] [www.v*teranenziekte.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506117
2022/12/28 13:53:59 [INFO] [www.v*teranenziekte.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506127
2022/12/28 13:53:59 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505957
2022/12/28 13:53:59 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505967
2022/12/28 13:53:59 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505977
2022/12/28 13:53:59 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505987
2022/12/28 13:53:59 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505997
2022/12/28 13:54:00 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506007
2022/12/28 13:54:00 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506017
2022/12/28 13:54:00 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506027
2022/12/28 13:54:00 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506037
2022/12/28 13:54:00 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506047
2022/12/28 13:54:00 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506057
2022/12/28 13:54:01 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506067
2022/12/28 13:54:01 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506077
2022/12/28 13:54:01 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506087
2022/12/28 13:54:01 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506097
2022/12/28 13:54:01 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506107
2022/12/28 13:54:01 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506117
2022/12/28 13:54:02 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506127
2022/12/28 13:54:02 Could not obtain certificates:
        error: one or more domains had a problem:
[] Post "https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506097": read tcp 145.131.5.16:58626->172.65.32.248:443: read: connection reset by peer

This script calls LEGO internally with the following output:

[root@srv02a scripts]# lego --path="/usr/local/directadmin/data/.lego" --dns.resolvers 8.8.8.8 --accept-tos -s https://acme-v02.api.letsencrypt.org/directory -m admin@ahv-id-28045.vps.awcloud.nl --key-type ec256 --http --http.webroot /var/www/html -d l*gionella-uitbraak.nl -d l*gionellaforum.nl -d l*gionellaziekte.com -d l*gionellaziekte.nl -d l*gionnairesdisease.nl -d st*chtingveteranenziekte.nl -d s*vz.nl -d v*teranenziekte.com -d v*teranenziekte.info -d www.l*gionella-uitbraak.nl -d www.l*gionellaforum.nl -d www.l*gionellaziekte.com -d www.l*gionellaziekte.nl -d www.l*gionnairesdisease.nl -d www.st*chtingveteranenziekte.nl -d www.s*vz.nl -d www.v*teranenziekte.com -d www.v*teranenziekte.info run --no-bundle --preferred-chain="ISRG Root X1"
2022/12/28 13:57:57 [INFO] [l*gionella-uitbraak.nl, l*gionellaforum.nl, l*gionellaziekte.com, l*gionellaziekte.nl, l*gionnairesdisease.nl, st*chtingveteranenziekte.nl, s*vz.nl, v*teranenziekte.com, v*teranenziekte.info, www.l*gionella-uitbraak.nl, www.l*gionellaforum.nl, www.l*gionellaziekte.com, www.l*gionellaziekte.nl, www.l*gionnairesdisease.nl, www.st*chtingveteranenziekte.nl, www.s*vz.nl, www.v*teranenziekte.com, www.v*teranenziekte.info] acme: Obtaining SAN certificate
2022/12/28 13:57:59 [INFO] [l*gionella-uitbraak.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505957
2022/12/28 13:57:59 [INFO] [l*gionellaforum.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505967
2022/12/28 13:57:59 [INFO] [l*gionellaziekte.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505977
2022/12/28 13:57:59 [INFO] [l*gionellaziekte.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505987
2022/12/28 13:57:59 [INFO] [l*gionnairesdisease.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369505997
2022/12/28 13:57:59 [INFO] [st*chtingveteranenziekte.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506007
2022/12/28 13:57:59 [INFO] [s*vz.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506017
2022/12/28 13:57:59 [INFO] [v*teranenziekte.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506027
2022/12/28 13:57:59 [INFO] [v*teranenziekte.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506037
2022/12/28 13:57:59 [INFO] [www.l*gionella-uitbraak.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506047
2022/12/28 13:57:59 [INFO] [www.l*gionellaforum.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506057
2022/12/28 13:57:59 [INFO] [www.l*gionellaziekte.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506067
2022/12/28 13:57:59 [INFO] [www.l*gionellaziekte.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506077
2022/12/28 13:57:59 [INFO] [www.l*gionnairesdisease.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506087
2022/12/28 13:57:59 [INFO] [www.st*chtingveteranenziekte.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506097
2022/12/28 13:57:59 [INFO] [www.s*vz.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506107
2022/12/28 13:57:59 [INFO] [www.v*teranenziekte.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506117
2022/12/28 13:57:59 [INFO] [www.v*teranenziekte.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/188369506127
2022/12/28 13:57:59 [INFO] [l*gionella-uitbraak.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [l*gionnairesdisease.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [l*gionellaforum.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [l*gionellaziekte.com] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [l*gionellaziekte.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [www.l*gionellaziekte.com] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [v*teranenziekte.com] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [s*vz.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [v*teranenziekte.info] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [www.l*gionellaziekte.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [st*chtingveteranenziekte.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [www.l*gionnairesdisease.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [www.l*gionellaforum.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [www.l*gionella-uitbraak.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [www.s*vz.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [www.v*teranenziekte.com] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [www.st*chtingveteranenziekte.nl] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [www.v*teranenziekte.info] acme: authorization already valid; skipping challenge
2022/12/28 13:57:59 [INFO] [l*gionella-uitbraak.nl, l*gionellaforum.nl, l*gionellaziekte.com, l*gionellaziekte.nl, l*gionnairesdisease.nl, st*chtingveteranenziekte.nl, s*vz.nl, v*teranenziekte.com, v*teranenziekte.info, www.l*gionella-uitbraak.nl, www.l*gionellaforum.nl, www.l*gionellaziekte.com, www.l*gionellaziekte.nl, www.l*gionnairesdisease.nl, www.st*chtingveteranenziekte.nl, www.s*vz.nl, www.v*teranenziekte.com, www.v*teranenziekte.info] acme: Validations succeeded; requesting certificates
2022/12/28 13:57:59 Could not obtain certificates:
        error: one or more domains had a problem:
[l*gionella-uitbraak.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[l*gionellaforum.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[l*gionellaziekte.com] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[l*gionellaziekte.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[l*gionnairesdisease.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[st*chtingveteranenziekte.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[s*vz.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[v*teranenziekte.com] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[v*teranenziekte.info] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[www.l*gionella-uitbraak.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[www.l*gionellaforum.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[www.l*gionellaziekte.com] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[www.l*gionellaziekte.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[www.l*gionnairesdisease.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[www.st*chtingveteranenziekte.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[www.s*vz.nl] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[www.v*teranenziekte.com] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer
[www.v*teranenziekte.info] Post "https://acme-v02.api.letsencrypt.org/acme/finalize/764760926/154149722237": read tcp 145.131.5.16:47684->172.65.32.248:443: read: connection reset by peer

DA/our VPS is being run on what I think is a Hyper-V platform. Are there any known issues with it?

9

Perhaps a MTU problem?

7 Likes
10

Your most recent example shows authz and finalize requests failing. There are several API requests that precede those. If you were blocked you could not possibly reach these stages. A block is always not just sometimes.

Agree with Osiris you might have an MTU issue. Although, that wouldn't explain why your test curls for the /directory endpoint sometimes fail. I think what Rudy was suggesting earlier was to try traceroutes instead of curl to do tests. As you note, sometimes requests succeed so you should see a difference in traceroutes similar to the pattern you see with curl (you said like 1 in 3 fail). Something like this maybe:

sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
5 Likes
11

When finalizing, the CSR is send to the ACME API. This increases the POST request tremendously compared to the other simple/short requests. This could lead to a packet size too big and trigger a MTU issue. I saw the request failed with the finalize step, so this lead me to believe it could be MTU related.

The traceroute as you've recommended should work with the standard packet size, but fail when increasing the packet length. This can be done by putting an integer behind the host when using traceroute. And -F might be required to set the do not fragment bit. E.g.:

sudo traceroute -T -p 443 -F acme-v02.api.letsencrypt.org 1500
6 Likes
12

I agree but how would an MTU issue explain the problem with the curl described in the first post? It's possible there are two or more problems but Occam ...

FWIW, I tried using Max's MSS test site but couldn't find a page from that IP that was very large so inconclusive

5 Likes
13

I dunno :man_shrugging: Maybe curl does something funky when using HTTP/2.0, but I'm just guessing here :stuck_out_tongue:

6 Likes
14

MTU issues might be different for inbound vs. outbound traffic for the host, too.

5 Likes
15

Yeah, fair point. Just poking around. Hard to debug intermittent comms problems.

5 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.