I'm trying to reissue certificates for my Tor exit nodes and can't because they're all blocked from accessing the acme-v02.api.letsencrypt.org URL.
This is a fairly recent change and there has not been any announcement about it. What's going on?
cURL via http:
/ user@server# curl -v acme-v02.api.letsencrypt.org * Rebuilt URL to: acme-v02.api.letsencrypt.org/ * Trying 18.104.22.168... * TCP_NODELAY set * Connected to acme-v02.api.letsencrypt.org (22.214.171.124) port 80 (#0) > GET / HTTP/1.1 > Host: acme-v02.api.letsencrypt.org > User-Agent: curl/7.58.0 > Accept: */* > * Recv failure: Connection reset by peer * stopped the pause stream! * Closing connection 0 curl: (56) Recv failure: Connection reset by peer
cURL via TLS:
/ user@server# curl -v https://acme-v02.api.letsencrypt.org:443 * Rebuilt URL to: https://acme-v02.api.letsencrypt.org:443/ * Trying 126.96.36.199... * TCP_NODELAY set * Connected to acme-v02.api.letsencrypt.org (188.8.131.52) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443 * stopped the pause stream! * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
/ user@server# openssl s_client -connect acme-v02.api.letsencrypt.org:443 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 330 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
... ;acme-v02.api.letsencrypt.org. IN A ;; ANSWER SECTION: acme-v02.api.letsencrypt.org. 6934 IN CNAME prod.api.letsencrypt.org. prod.api.letsencrypt.org. 33 IN CNAME ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 33 IN A 184.108.40.206 ...
This same behaviour can be observed on all nodes of my entire exit node family.
Please unblock exit nodes, or publish an elaborate announcement that you're officially locking them out.