Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
e6430-i5$ traceroute mercurycolleges.nsw.edu.au
traceroute to mercurycolleges.nsw.edu.au (91.239.243.28), 64 hops max, 40 byte packets
1 EdgeRouter-4 (192.168.1.1) 0.462 ms 0.336 ms 0.308 ms
2 96.120.60.137 (96.120.60.137) 8.797 ms 9.345 ms 8.651 ms
3 68.87.217.41 (68.87.217.41) 8.437 ms 9.335 ms 8.187 ms
4 96.216.60.245 (96.216.60.245) 10.088 ms 9.496 ms 11.888 ms
5 68.85.243.197 (68.85.243.197) 15.375 ms 18.127 ms 14.116 ms
6 be-36211-cs01.seattle.wa.ibone.comcast.net (68.86.93.49) 13.788 ms be-36231-cs03.seattle.wa.ibone.comcast.net (68.86.93.57) 13.703 ms be-36211-cs01.seattle.wa.ibone.comcast.net (68.86.93.49) 14.284 ms
7 be-2113-pe13.seattle.wa.ibone.comcast.net (96.110.44.82) 21.764 ms be-2313-pe13.seattle.wa.ibone.comcast.net (96.110.44.90) 13.738 ms be-2113-pe13.seattle.wa.ibone.comcast.net (96.110.44.82) 16.596 ms
8 ae-9.a02.sttlwa01.us.bb.gin.ntt.net (129.250.66.105) 20.331 ms 14.822 ms 13.863 ms
9 ae-2.r25.sttlwa01.us.bb.gin.ntt.net (129.250.2.94) 26.226 ms 14.493 ms 15.338 ms
10 ae-3.r25.snjsca04.us.bb.gin.ntt.net (129.250.3.124) 28.214 ms * *
11 ae-45.r01.snjsca04.us.bb.gin.ntt.net (129.250.3.175) 28.74 ms 27.395 ms 28.779 ms
12 ce-0-17-0-0.r01.snjsca04.us.ce.gin.ntt.net (128.242.179.34) 27.279 ms 31.255 ms 29.529 ms
13 be6.core1.equinix-sy1.syd.aussiebb.net (180.150.2.109) 179.4 ms 176.48 ms 175.901 ms
14 be5.core1.vdc01.syd.aussiebb.net (180.150.1.156) 178.473 ms 178.259 ms 179.188 ms
15 be1.core2.vdc01.syd.aussiebb.net (180.150.0.157) 174.961 ms 178.155 ms 177.704 ms
16 be2.core2.nextdc-s1.syd.aussiebb.net (202.142.143.203) 180.989 ms 177.078 ms 177.866 ms
17 HundredGigE0-0-0-21.bng2.nextdc-s1.syd.aussiebb.net (202.142.143.167) 179.017 ms 177.46 ms 177.734 ms
64 * * *
e6430-i5$ wget https://www.mercurycolleges.nsw.edu.au/
--2022-08-23 08:17:26-- https://www.mercurycolleges.nsw.edu.au/
Resolving www.mercurycolleges.nsw.edu.au (www.mercurycolleges.nsw.edu.au)... 91.239.243.28
Connecting to www.mercurycolleges.nsw.edu.au (www.mercurycolleges.nsw.edu.au)|91.239.243.28|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'
index.html [ <=> ] 146.29K 80.8KB/s in 1.8s
2022-08-23 08:17:31 (80.8 KB/s) - 'index.html' saved [149801]
e6430-i5$
Hi rg305, I will collect some logs soon, here is just a first one
plesk bin extension --exec letsencrypt cli.php -d mercurycolleges.nsw.edu.au -m support@mercurycolleges.nsw.edu.au
[2022-08-24 07:42:23.755] 549213:630549bfb77c2 ERR [extension/letsencrypt] The execution of cli.php has failed with the following message:
Could not obtain directory: cURL error 35: Network file descriptor is not connected (see libcurl - Error Codes)
The execution of cli.php has failed with the following message:
Could not obtain directory: cURL error 35: Network file descriptor is not connected (see libcurl - Error Codes)
I don't know. That curl version came out in 2013 if I read the history right. Or is this one of those distros where the version stays the same and security fixes get applied anyway?
We could look at your cert store. Please show result of this:
I think it's possible that your very old version of curl can not properly handle the TLS connection. You also have a very old OpenSSL. You're on the old 1.02 branch and patch k - they ultimately got up to patch v. IMHO, it's odd that it's running a fips version, but not the latest fips version.
In any event, there may be issues with your machine's ability to handle protocols and ciphers. That would explain why you can access some https sites but not others.
Looking at the curl changelog - there were a lot of improvements to tls1.1 and 1.2 in subsequent releases.
You could try the following, but I don't think your version of curl may support these flags:
Let's try connecting with something other than curl. Can you show result of this?
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head -10
EDIT:
I'm starting to think your IP may be blocked. Curious to see openssl result still. Is this the machine you have been using to regularly renew the certs for mercurycolleges.nsw.edu.auas seen here ?
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head -10
write:errno=104
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
curl --tlsv1.1 -tls-max 1.1 https://acme-staging-v02.api.letsencrypt.org/directory
error code: 1003curl: (35) Network file descriptor is not connected
curl --tlsv1.2 -tls-max 1.2 https://acme-staging-v02.api.letsencrypt.org/directory
curl: (56) Recv failure: Connection reset by peer
curl: (35) Network file descriptor is not connected