The website https://creativesociety.com when opening from Kazakhstan shows an ERR_CONNECTION_CLOSED. From different IPs, in different cities, different providers. In all other countries the site works normally. I would be grateful for any ideas what could be wrong?
Your domain will be most likely on an official Kazakh blаcklist, which restricts access to it. You’d need to discuss this with the ISPs.
What’s the output of these commands?
ping creativesociety.com
nslookup creativesociety.com
Обмен пакетами с creativesociety.com [104.26.1.120] с 32 байтами данных:
Ответ от 104.26.1.120: число байт=32 время=3мс TTL=58
Ответ от 104.26.1.120: число байт=32 время=3мс TTL=58
Ответ от 104.26.1.120: число байт=32 время=4мс TTL=58
Ответ от 104.26.1.120: число байт=32 время=3мс TTL=58
Статистика Ping для 104.26.1.120:
Пакетов: отправлено = 4, получено = 4, потеряно = 0
(0% потерь)
Приблизительное время приема-передачи в мс:
Минимальное = 3мсек, Максимальное = 4 мсек, Среднее = 3 мсек
╤хЁтхЁ: GT-AX11000-6260
Address: 192.168.50.1
Не заслуживающий доверия ответ:
╚ь : creativesociety.com
Addresses: 2606:4700:20::681a:178
2606:4700:20::ac43:47d9
2606:4700:20::681a:78
172.67.71.217
104.26.0.120
104.26.1.120
ping:
Обмен пакетами с creativesociety.com [104.26.1.120] с 32 байтами данных:
Ответ от 104.26.1.120: число байт=32 время=3мс TTL=58
Ответ от 104.26.1.120: число байт=32 время=3мс TTL=58
Ответ от 104.26.1.120: число байт=32 время=4мс TTL=58
Ответ от 104.26.1.120: число байт=32 время=3мс TTL=58
Статистика Ping для 104.26.1.120:
Пакетов: отправлено = 4, получено = 4, потеряно = 0
(0% потерь)
Приблизительное время приема-передачи в мс:
Минимальное = 3мсек, Максимальное = 4 мсек, Среднее = 3 мсек
nslookup
╤хЁтхЁ: GT-AX11000-6260
Address: 192.168.50.1
Не заслуживающий доверия ответ:
╚ь : creativesociety.com
Addresses: 2606:4700:20::681a:178
2606:4700:20::ac43:47d9
2606:4700:20::681a:78
172.67.71.217
104.26.0.120
104.26.1.120
All right, you seem to be able to reach the addresses fine, however the response times are rather low. That would suggest your ISP might even hijack the addresses.
It’s best to contact your ISP and clarify if they block your domain or the IP addresses.
Please see this command from Kazhakhstan:
openssl s_client -connect
creativesociety.com:443
CONNECTED(00000003)
4097D58F7D7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:…/ssl/record/rec_layer_s3.c:308:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 328 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
As we understand, when a certificate is requested, the connection is reset.
At the same time, for subdomains, the certificate returns normally
As mentioned, that will be an ISP issue.
What does http://creativesociety.com/cdn-cgi/trace provide?
Also, did you contact the ISP as suggested?
fl=281f11
h=creativesociety.com
ip=37.150.38.160
ts=1686876821.798
visit_scheme=http
uag=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
colo=ALA
sliver=none
http=http/1.1
loc=KZ
tls=off
sni=off
warp=off
gateway=off
rbi=off
kex=none
Yes we contected both with regional ISP and Kaztelekom. They all said that the site is not blocked. We are waiting for answer from the ministry responsible for these matters. Their website says that the site is not blocked, but we are waiting for an official response. They reply within a month…
So you do seem to reach Cloudflare at least on HTTP.
You wrote you can actually connect to hostnames, other than the naked domain. Which?
Yes, any subdomain opens in Kazakhstan. for example https://candidate.creativesociety.com
At the same time, the certificate is apparently cached in the browser for some time, and after that the main domain is opened. But without first opening a subdomain, when a certificate is requested, the connection is reset
What do these commands say?
ping creativesociety.com
ping candidate.creativesociety.com
openssl s_client -connect 104.18.10.139:443 -servername creativesociety.com
Обмен пакетами с creativesociety.com [104.26.3.58] с 32 байтами данных:
Ответ от 104.26.3.58: число байт=32 время=112мс TTL=58
Ответ от 104.26.3.58: число байт=32 время=2мс TTL=58Ответ от 104.26.3.58: число байт=32 время=3мс TTL=58
Ответ от 104.26.3.58: число байт=32 время=2мс TTL=58
Статистика Ping для 104.26.3.58: Пакетов: отправлено = 4, получено = 4, потеряно = 0
(0% потерь)Приблизительное время приема-передачи в мс:
Минимальное = 2мсек, Максимальное = 112 мсек, Среднее = 29 мсек
Обмен пакетами с candidate.creativesociety.com [104.26.2.58] с 32 байтами данных:
Ответ от 104.26.2.58: число байт=32 время=103мс TTL=58
Ответ от 104.26.2.58: число байт=32 время=2мс TTL=58Ответ от 104.26.2.58: число байт=32 время=2мс TTL=58
Ответ от 104.26.2.58: число байт=32 время=3мс TTL=58
Статистика Ping для 104.26.2.58: Пакетов: отправлено = 4, получено = 4, потеряно = 0
(0% потерь)Приблизительное время приема-передачи в мс:
Минимальное = 2мсек, Максимальное = 103 мсек, Среднее = 27 мсек
openssl s_client -connect 104.18.10.139:443 -servername creativesociety.com
CONNECTED(00000003)
402749E7297F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:…/ssl/record/rec_layer_s3.c:308:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 328 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
All right, that should not be IP specific in this case and may be domain related. Does www.creativesociety.com work?
Also, what do these commands say?
openssl s_client -connect 104.26.3.58:443 -servername sitemeer.com
traceroute creativesociety.com
No
openssl s_client -connect 104.26.3.58:443 -servername sitemeer.com
CONNECTED(00000003)
40279AECF07F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/ssl/record/rec_layer_s3.c:1584:SSL alert number 40
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 314 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
traceroute to creativesociety.com (104.26.2.58), 30 hops max, 60 byte packets
1 _gateway (10.1.2.254) 1.157 ms 1.332 ms 1.377 ms
2 * * *
3 212.154.131.113 (212.154.131.113) 93.462 ms 93.615 ms 93.465 ms
4 95.59.170.132 (95.59.170.132) 95.036 ms 92.47.145.100 (92.47.145.100) 94.579 ms 95.59.170.132 (95.59.170.132) 94.688 ms
5 * * *
6 95.57.207.238 (95.57.207.238) 95.720 ms 92.562 ms 93.145 ms
7 104.26.2.58 (104.26.2.58) 92.497 ms 2.850 ms 2.750 ms
Silly me, gave you a domain without SSL 
Can you try this?
openssl s_client -connect 104.26.3.58:443 -servername medium.com
we recieve the sertificat here
All right, that suggests it is not an IP address issue, but possibly domain related.
IMHO, these two lines suggest either a network block or some other issue with the network.
I don’t know which connection you have, but I doubt you have a roundtrip of two milliseconds to the Cloudflare proxies. Even more so as your traceroute suggests a consistent 100 milliseconds roundtrip, except for the proxy itself.
Either your ISP is deliberately blocking Cloudflare addresses here or they have some configuration issue with their routing. Unfortunately, that’s something only your ISP can clarify. I’d send the traceroute to the ISP and ask about the roundtrips.
Considering it’s only an issue with your domain, your domain is deliberately blocked.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.