Tor exit nodes blocked from accessing LE acmev2 api

19h · March 30, 2021, 11:47pm

Hello,

I'm trying to reissue certificates for my Tor exit nodes and can't because they're all blocked from accessing the acme-v02.api.letsencrypt.org URL.

This is a fairly recent change and there has not been any announcement about it. What's going on?

cURL via http:

/ user@server# curl -v acme-v02.api.letsencrypt.org 
* Rebuilt URL to: acme-v02.api.letsencrypt.org/
*   Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 80 (#0)
> GET / HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

cURL via TLS:

/ user@server# curl -v https://acme-v02.api.letsencrypt.org:443
* Rebuilt URL to: https://acme-v02.api.letsencrypt.org:443/
*   Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

OpenSSL:

/ user@server# openssl s_client -connect acme-v02.api.letsencrypt.org:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 330 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Dig:

...

;acme-v02.api.letsencrypt.org.	IN	A

;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 6934 IN	CNAME	prod.api.letsencrypt.org.
prod.api.letsencrypt.org. 33	IN	CNAME	ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 33 IN A 172.65.32.248

...

This same behaviour can be observed on all nodes of my entire exit node family.

Please unblock exit nodes, or publish an elaborate announcement that you're officially locking them out.

Regards

_az · March 30, 2021, 11:58pm

It might be related to this.

JamesLE · March 31, 2021, 12:01am

Yes, this is likely. I’ll respond in DM.

system · April 30, 2021, 12:01am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't access acme-v02.api.letsencrypt.org over IPv6 Help	24	1467	January 6, 2023
Can’t connect to acme-v02.api.letsencrypt.org Help	9	1437	September 18, 2022
Ploblem with connections to acme-v02.api.letsencrypt.org Help	3	925	May 28, 2020
Can’t connect to acme-v02.api.letsencrypt.org Help	13	2474	September 14, 2022
Unable to get certificate IP blocked Help	6	891	October 25, 2021

Tor exit nodes blocked from accessing LE acmev2 api

Related Topics