Unable to renew certificate using dehydrated

My domain is: mail.ooo-ferrum.ru
I ran this command: dehydrated -c
It produced this output:
#INFO: Using main config file /etc/dehydrated/config
#INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 35)
EXPECTED value GOT EOF

My web server is (include version): nginx/1.27.0
The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009 (Core)
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not using sertbot

after recive this error i ran
curl -vv https://acme-v02.api.letsencrypt.org/directory

and It produced this output:

  • About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
  • Trying 172.65.32.248...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • NSS error -5961 (PR_CONNECT_RESET_ERROR)
  • TCP connection reset by peer
  • Closing connection 0
    curl: (35) TCP connection reset by pee

i change internet provider and get success.
This is not new installation, this configuration worked fine many years.
my ip address is 80.255.94.182.
maybe you added my ip address in blacklist or any other ideas?
thanks for you advice.

1 Like

Hi! What's the output of traceroute -T -p 443 acme-v02.api.letsencrypt.org?

3 Likes

traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 gateway (192.168.51.1) 1.942 ms 1.915 ms 1.904 ms
2 192.168.51.254 (192.168.51.254) 0.139 ms 0.126 ms 0.129 ms
3 pool-80-255-94-181.is74.ru (80.255.94.181) 0.512 ms 0.487 ms 0.556 ms
4 * * *
5 * * *
6 * * *
7 31.173.147.13 (31.173.147.13) 3.588 ms 3.818 ms 3.810 ms
8 * * *
9 178.176.142.103 (178.176.142.103) 41.142 ms 40.705 ms 41.257 ms
10 172.65.32.248 (172.65.32.248) 40.112 ms 41.613 ms 41.502 ms

1 Like

Doesn't look like anything out of ordinary. It could be a ban, but traffic from your server should've been substantial for that. I'll let other volunteers to poke further or to call for LE staff attention.

2 Likes

An IP block is unlikely as all were removed a couple weeks ago. They may be reinstated but I have not seen staff say any were.

Would you show output of these:

curl -I https://www.cloudflare.com
curl -i https://api.buypass.com/acme/directory

Also, can you explain more what you meant by:

3 Likes

My server have two internet conection from diffirent providers.
If I use the main channel dehydrated doesn't work and i receive error, but if i use backup chanel all works fine and i can get renew certificate. I'm not a stupid, I called my main provider first, he tell me all works fine and not have any block or others problems, by the way Your TCP connection reset by remote side, it not in our scope of responsibility. and I am here :slight_smile:

curl -i https://api.buypass.com/acme/directory
curl: (7) Failed to connect to 2a03:522:1111:162::162: network unavailable

curl -I https://www.cloudflare.com
HTTP/1.1 200 OK
Date: Thu, 04 Jul 2024 03:34:15 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Cache-Control: public, max-age=0, must-revalidate
Strict-Transport-Security: max-age=31536000; includeSubDomains
Permissions-Policy: geolocation=(), camera=(), microphone=()
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-GWW-LOC: EN-US
X-PGS-LOC: EN-US
x-RM: GW
X-XSS-Protection: 1; mode=block
Set-Cookie: __cf_bm=54hFo7PlgIF1W3o0MV5PXF4pckk7BumJBVH0t_mui5c-1720064055-1.0.1.1-SEgJOaaV7BM7NSsnOl1TDyHKFWYESr5V6Kb0A5tN5oiFbQG88udWm.UNAe6K_2YV8jXFKSjf1BCP0xqpWJfia9DsOUyBCH7cDyLoB0PMqM8; path=/; expires=Thu, 04-Jul-24 04:04:15 GMT; domain=.www.cloudflare.com; HttpOnly; Secure; SameSite=None
Report-To: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=9G%2BtmNL%2Bke2Rr8pxZU6y1%2FQHqjZV5M7qDQOENDLn2Oq93j%2FkkFBZ3UX0Sd6D3dccKaaBvJB9%2BbGb9zWOwG5v%2FinRpeNuTDCPzAoEJNQGA8EOOwqSpYxPqzA5SQI3GhKuKlp3iQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89dc0efadfba8498-LED
alt-svc: h3=":443"; ma=86400

Both of those domain names have both IPv4 and IPv6 addresses.

Yet, your curl example to acme-v02 used an IPv4 address while your api.buypass test used IPv6 (and failed).

What does this do?

sudo traceroute -T -6 -p 443 acme-v02.api.letsencrypt.org

and this

curl -i6 https://acme-v02.api.letsencrypt.org/directory
3 Likes

traceroute -T -6 -p 443 acme-v02.api.letsencrypt.org
connect: network unawalable

curl -i6 https://acme-v02.api.letsencrypt.org/directory
curl: (7) Failed to connect to 2606:4700:60:0:f53d:5624:85c7:3a2c: network unawalable

because ipv6init=no in my network config

i tried run
curl -vv -i https://api.buypass.com/acme/directory

and getting same result
curl -vv -i https://api.buypass.com/acme/directory

  • About to connect() to api.buypass.com port 443 (#0)
  • Trying 185.62.162.162...
  • Connection timed out
  • Trying 2a03:522:1111:162::162...
  • Failed to connect to 2a03:522:1111:162::162: network unawalable
  • Failed connect to api.buypass.com:443; network unawalable
  • Closing connection 0
    curl: (7) Failed to connect to 2a03:522:1111:162::162: network unawalable

looks like the address is unavailable for me via ipv4 or ipv6

Your first curl to buypass only showed IPv6 address. curl only tries IPv6 if it thinks it is available

And, yes, the second try to buypass failed both.

I'm not sure how to help you. It seems like some odd routing problem using that network.

Maybe someone else here will suggest something.

2 Likes

What is the role of the site https://api.buypass.com/acme/directory?
it is not available from any internet provider that I have.
But the certificate is renewed normally using only a backup provider :frowning:

traceroute using ipv4 get success on both chanels, main and backup.

main chanel
traceroute -T -4 -n -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 192.168.51.1 1.267 ms 1.243 ms 1.227 ms
2 192.168.51.254 0.098 ms 0.101 ms 0.081 ms
3 80.255.94.181 0.616 ms 0.606 ms 0.591 ms
4 * * *
5 * * *
6 31.173.147.13 3.320 ms 3.385 ms 3.395 ms
7 * * *
8 178.176.142.103 41.219 ms 40.726 ms 41.775 ms
9 172.65.32.248 42.009 ms 41.737 ms 41.101 ms

Backup chanel
traceroute -T -4 -n -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 192.168.51.1 0.975 ms 0.939 ms 0.916 ms
2 192.168.51.254 0.185 ms 0.186 ms 0.176 ms
3 212.57.162.85 6.620 ms 7.664 ms 6.620 ms
4 * * 87.226.151.94 8.114 ms
5 * * *
6 95.71.2.226 32.152 ms 31.000 ms 30.592 ms
7 * 172.68.8.51 32.754 ms *
8 172.65.32.248 29.400 ms 30.231 ms 31.987 ms

BuyPass is another ACME Certificate Authority. I was checking your connection to it to see if you had problems just with Let's Encrypt or connecting to other similar services. And, your connection to it failed.

What do these show? These are 2 other Certificate Authorities

curl -i https://acme.zerossl.com/v2/DV90
curl -i https://dv.acme-v02.api.pki.goog/directory
2 Likes

curl -i https://acme.zerossl.com/v2/DV90

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 08 Jul 2024 03:26:30 GMT
Content-Type: application/json
Content-Length: 645
Connection: keep-alive
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=15724800; includeSubDomains

{
"newNonce": "https://acme.zerossl.com/v2/DV90/newNonce",
"newAccount": "https://acme.zerossl.com/v2/DV90/newAccount",
"newOrder": "https://acme.zerossl.com/v2/DV90/newOrder",
"revokeCert": "https://acme.zerossl.com/v2/DV90/revokeCert",
"keyChange": "https://acme.zerossl.com/v2/DV90/keyChange",
"meta": {
"termsOfService": "https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf",
"website": "https://zerossl.com",
"caaIdentities": ["sectigo.com", "trust-provider.com", "usertrust.com", "comodoca.com", "comodo.com"],
"externalAccountRequired": true
}

curl -i https://dv.acme-v02.api.pki.goog/directory

HTTP/1.1 200 OK
Replay-Nonce: AEkAAAAKRwoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhkKDAivu620BhDE6fDGAxDouvbk-v____8BAA-QCMTlPVHGnG9w1jMihG4e7URTfnkC4Q
Content-Type: application/json
Date: Mon, 08 Jul 2024 03:31:59 GMT
Server: scaffolding on HTTPServer2
Cache-Control: private
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked

{"newNonce":"https://dv.acme-v02.api.pki.goog/new-nonce","newAccount":"https://dv.acme-v02.api.pki.goog/new-account","newOrder":"https://dv.acme-v02.api.pki.goog/new-order","newAuthz":"https://dv.acme-v02.api.pki.goog/new-authz","revokeCert":"https://dv.acme-v02.api.pki.goog/revoke-cert","keyChange":"https://dv.acme-v02.api.pki.goog/key-change","renewalInfo":"https://dv.acme-v02.api.pki.goog/renewal-info","meta":{"termsOfService":"https://pki.goog/GTS-SA.pdf","website":"https://pki.goog","caaIdentities":["pki.goog"],"externalAccountRequired":true}}

All works fine

You should be able to get a cert from either of them then.

Are buypass and LE working now too?

curl -i https://api.buypass.com/acme/directory
curl -i https://acme-v02.api.letsencrypt.org/directory

Often with inconsistent network routing problems they resolve on their own after a short time. The network carriers eventually discover the problem on their own.

2 Likes

curl -v -i https://acme-v02.api.letsencrypt.org/directory

  • About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
  • Trying 172.65.32.248...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • NSS error -5961 (PR_CONNECT_RESET_ERROR)
  • TCP connection reset by peer
  • Closing connection 0
    curl: (35) TCP connection reset by peer

available, error persists

curl -v -i https://api.buypass.com/acme/directory

  • About to connect() to api.buypass.com port 443 (#0)
  • Trying 185.62.162.162...
  • Connection timed out
  • Trying 2a03:522:1111:162::162...
  • Failed to connect to 2a03:522:1111:162::162: Network unavailable
  • Failed connect to api.buypass.com:443; Network unavailable
  • Closing connection 0
    curl: (7) Failed to connect to 2a03:522:1111:162::162: Network unavailable

not available

I think the error is "NSS error -5961 (PR_CONNECT_RESET_ERROR)"
is not related to routing, it is blocking on the LE side or poorly configured DPI along the traffic path. Or something like that :slight_smile:

Then why does the test to buypass also fail?

There is not anything more I can do. Perhaps another volunteer will have some suggestion.

1 Like

may be here routing problem :slight_smile:

I'll try to wait, maybe everything will work without me. Thanks for the help.

But I’m open to new ideas, if someone comes up with something, don’t keep it to yourself, tell me :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.