Unable to obtain Let's Encrypt SSL

webdig

Hi,
On one of my Enhance nodes, I’m unable to issue Let’s Encrypt certificates. Upon investigation, I’ve found that the server cannot reach the ACME endpoint normally:

root@circe:~# curl -I https://acme-v02.api.letsencrypt.org/directory curl: (35) Recv failure: Connection reset by peer

However, if I force cURL to resolve directly to the IP address, it works:

root@circe:~# curl -I https://acme-v02.api.letsencrypt.org/directory --resolve acme-v02.api.letsencrypt.org:443:172.65.32.248 HTTP/2 200 server: nginx date: Thu, 19 Jun 2025 23:53:43 GMT ...

Things I’ve already checked:

DNS resolves correctly to Cloudflare's IPs (e.g. 172.65.32.248)
Outbound connections on port 443 are allowed (UFW/iptables)
No proxy or firewall between the server and the internet
Other HTTPS connections (e.g. to google.com, pt.pt) work fine
This only affects Let’s Encrypt’s ACME endpoint
The IP 172.65.32.248 has been whitelisted in CPfence, but the issue still persists

It seems like something silently drops or resets the TLS handshake only when resolving the hostname, not when targeting the IP directly.

Thanks in advance!

rdbf

Enhance recommends using Cloudflare Origin certificates if the traffic is proxied. Trying to use Let's Encrypt will be hit-and-miss at best unfortunately.

https://community.enhance.com/d/2627-v12-not-renewing-ssl-certificates/11