[Solved]Cannot curl or browse certain websites on a fresh arch install

seth · 2024-12-16 08:19:19

What if you use yor phone for https://wiki.archlinux.org/title/Tethering ?
Also you've completely disabled mobile data so you're not using your mobile data plan on the phone to reach those sites for sure?

Lumenohr · 2024-12-16 08:36:25

seth wrote:

What if you use yor phone for https://wiki.archlinux.org/title/Tethering ?
Also you've completely disabled mobile data so you're not using your mobile data plan on the phone to reach those sites for sure?

It's definitely not mobile data since I don't even have any data on my sim card haha. But how performant would it actually be to literally just tether my phone to my computer for wifi?

Edit: Tried mobile tethering. It somehow doesn't work on my computer but is fine on my phone. Yes they are the same wifi.

Last edited by Lumenohr (2024-12-16 08:43:03)

seth · 2024-12-16 08:38:56

Irrelevant, we just wanna see what happens and whether it works w/ your phone as tethering device.

Lumenohr · 2024-12-16 08:44:03

seth wrote:

Irrelevant, we just wanna see what happens and whether it works w/ your phone as tethering device.

Edit: Tried mobile tethering. It somehow doesn't work on my computer but is fine on my phone. Yes they are the same WLAN.

Edit: Also, ironically, it's way faster with USB tethering on my phone for some reason.

Last edited by Lumenohr (2024-12-16 08:47:57)

seth · 2024-12-16 13:32:07

W/o tethering, please post the output of

ip a; ip r
find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

Lumenohr · 2024-12-16 15:56:03

seth wrote:

W/o tethering, please post the output of

ip a; ip r
find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp14s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether d8:43:ae:60:ea:65 brd ff:ff:ff:ff:ff:ff
    altname enxd843ae60ea65
3: wlp18s0f3u2: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state DORMANT group default qlen 1000
    link/ether 2a:ad:e8:6c:57:c7 brd ff:ff:ff:ff:ff:ff permaddr 9c:a2:f4:cc:19:00
    altname wlx9ca2f4cc1900
4: wlp15s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 12:9c:59:4d:d6:c8 brd ff:ff:ff:ff:ff:ff permaddr fc:b0:de:74:6a:ed
    altname wlxfcb0de746aed
bluetooth.service                        | bluetooth.target.wants
dbus-org.bluez.service                   | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service    | system
dbus-org.freedesktop.timesync1.service   | system
getty@tty1.service                       | getty.target.wants
NetworkManager-wait-online.service       | network-online.target.wants
NetworkManager.service                   | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
pipewire-pulse.socket                    | sockets.target.wants
pipewire-session-manager.service         | user
pipewire.socket                          | sockets.target.wants
remote-fs.target                         | multi-user.target.wants
scx.service                              | graphical.target.wants
systemd-resolved.service                 | sysinit.target.wants
systemd-timesyncd.service                | sysinit.target.wants
systemd-userdbd.socket                   | sockets.target.wants
wireplumber.service                      | pipewire.service.wants
xdg-user-dirs-update.service             | default.target.wants

seth · 2024-12-16 16:05:15

Apparently you had neitehr carrier nor lease nor route at this point??
What provides the network?

Lumenohr · 2024-12-16 16:12:43

seth wrote:

Apparently you had neitehr carrier nor lease nor route at this point??
What provides the network?

My bad. I don't believe when I executed that I had wifi. Here's the output when connected to a network via wlp18s0f3u2:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp14s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether d8:43:ae:60:ea:65 brd ff:ff:ff:ff:ff:ff
    altname enxd843ae60ea65
3: wlp15s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 0e:70:ec:35:81:5e brd ff:ff:ff:ff:ff:ff permaddr fc:b0:de:74:6a:ed
    altname wlxfcb0de746aed
4: wlp18s0f3u2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 9c:a2:f4:cc:19:00 brd ff:ff:ff:ff:ff:ff
    altname wlx9ca2f4cc1900
    inet 192.168.254.194/24 brd 192.168.254.255 scope global dynamic noprefixroute wlp18s0f3u2
       valid_lft 259194sec preferred_lft 259194sec
    inet6 fe80::7647:95b:9e76:2641/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
default via 192.168.254.254 dev wlp18s0f3u2 proto dhcp src 192.168.254.194 metric 600 
192.168.254.0/24 dev wlp18s0f3u2 proto kernel scope link src 192.168.254.194 metric 600 
bluetooth.service                        | bluetooth.target.wants
dbus-org.bluez.service                   | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service    | system
dbus-org.freedesktop.timesync1.service   | system
getty@tty1.service                       | getty.target.wants
NetworkManager-wait-online.service       | network-online.target.wants
NetworkManager.service                   | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
pipewire-pulse.socket                    | sockets.target.wants
pipewire-session-manager.service         | user
pipewire.socket                          | sockets.target.wants
remote-fs.target                         | multi-user.target.wants
scx.service                              | graphical.target.wants
systemd-resolved.service                 | sysinit.target.wants
systemd-timesyncd.service                | sysinit.target.wants
systemd-userdbd.socket                   | sockets.target.wants
wireplumber.service                      | pipewire.service.wants
xdg-user-dirs-update.service             | default.target.wants

seth · 2024-12-16 16:24:36

You're using some external wifi dongle?
What provides bluetooth?
Is this on a 2.4 GHz connection?
Any chance to use the wired device?

Lumenohr · 2024-12-16 16:28:38

seth wrote:

You're using some external wifi dongle?

Yep.

seth wrote:

What provides bluetooth?

I think it might be something via PCIE on my board.

seth wrote:

Is this on a 2.4 GHz connection?

I'm pretty sure this WLAN is 5G that I'm currently on.

seth wrote:

Any chance to use the wired device?

Already tried it. No fish unfortunately.

seth · 2024-12-16 17:14:24

Already tried it. No fish unfortunately.

That'd render the entire wifi/radio inquiry moot anyway.

So you can't access cloudflare from any device in the LAN except for your phone. Not even when using that for tethering.
What are the other devices?
Did you test grml?
Does your phone use some proxy, VPN (which makes arch work) or "internet accelerator"?
How prone is your local government to censorship? (Did you google whether your ISP currently holds a grudge against cloudflare?)
Can you reach https://www.cloudflare.com/ itself?

Lone_Wolf · 2024-12-17 10:28:27

Moderator note

Lumenohr wrote:

Edit: Uhh can you even delete posts on this forum? It's not showing me an option to. If it's all right, can any of the admins delete them?

Users can't delete posts , and moderators only do that when asked OR posts violate forum rules.
If you ever want something deleted (doesn't matter who posted it) , use the report button to send a message to moderators.

Lumenohr · 2024-12-17 22:18:18

Sorry for the late response. I reinstalled arch and still get the same issues, not that it really would have changed anything it seems. At anyrate,

seth wrote:

So you can't access cloudflare from any device in the LAN except for your phone. Not even when using that for tethering.

Yes. The phone, however, has been reset and still only works when using cloudflare dns. When explicitly selecting that, it shows, greyed out at the bottom, "one.one.one.one." My efforts lately have been to get a similar DNS setup on my computer, as it really only works on my phone WHEN that DNS server is used.

seth wrote:

What are the other devices?

A laptop, another computer, and a tablet besides the aforementioned computer and phone.

seth wrote:

Did you test grml?

I haven't, although at this point I doubt it's an OS issue as much as it is something to do with my ISP or DNS.

seth wrote:

Does your phone use some proxy, VPN (which makes arch work) or "internet accelerator"?

It's just a Redmi 13c with the Derpfest rom installed on it. It only really works WHEN I turn on the Cloudflare dns, as mentioned before.

seth wrote:

How prone is your local government to censorship? (Did you google whether your ISP currently holds a grudge against cloudflare?)

This I actually looked into and while my government and ISP are neither prone to censorship nor anger towards Cloudflare, there were issues with Cloudflare a few months ago with other users for other websites. It seems to be fixed though so I don't think it could be that.

seth wrote:

Can you reach https://www.cloudflare.com/ itself?

Yes.

Lumenohr · 2024-12-17 22:19:24

Lone_Wolf wrote:

Users can't delete posts , and moderators only do that when asked OR posts violate forum rules.
If you ever want something deleted (doesn't matter who posted it) , use the report button to send a message to moderators.

Ah, my bad I guess I didn't go through the way things work around here well enough. Okay. Noted.

seth · 2024-12-17 23:01:26

Let's see whether openssl can tell us what's wrong w/ the certificate… or anything

openssl s_client -connect lutris.net:https

And what the server can still tell us…

wget -S -O /dev/null https://lutris.net/

Do you have openssl or wget on your phone?

Lumenohr · 2024-12-17 23:06:15

From computer:

openssl s_client -connect lutris.net:https:

Connecting to 104.21.96.1
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

wget -S -O /dev/null https://lutris.net/:

--2024-12-18 07:03:29--  https://lutris.net/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving lutris.net (lutris.net)... 104.21.96.1, 104.21.48.1, 104.21.64.1, ...
Connecting to lutris.net (lutris.net)|104.21.96.1|:443... connected.
GnuTLS: Error in the pull function.
Unable to establish SSL connection.

seth wrote:

Do you have openssl or wget on your phone?

Dang. Shouldn't have reflashed my phone then. While the internet still works, it would have been easier to get wget and openssl on it had I kept my previous install with root access enabled. Is there a way to test without those or must I use something like termux to get the cli utils needed?
Edit: nvm don't need root access.

From phone:
openssl s_client -connect lutris.net:https

Connecting to 104.21.32.1
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 325 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

wget -S -O /dev/null https://lutris.net

--2024-12-18 07:15:43--  https://lutris.net/
Resolving lutris.net (lutris.net)... 104.21.32.1, 104.21.112.1, 104.21.96.1, ...
Connecting to lutris.net (lutris.net)|104.21.32.1|:443... connected.
Unable to establish SSL connection.

Last edited by Lumenohr (2024-12-17 23:16:45)

seth · 2024-12-17 23:15:13

Connecting to 104.21.96.1
CONNECTED(00000003)
write:errno=104

Nothing. You connect and get cut off immediately. Nothing else happens. No server certificate is sent.

Connecting to lutris.net (lutris.net)|104.21.96.1|:443... connected.
GnuTLS: Error in the pull function.

… nor anything else from the server.

Can you move the system into a different network?

Lumenohr · 2024-12-17 23:18:11

seth wrote:

Can you move the system into a different network?

I can try with a VPN if that's what you mean.

seth · 2024-12-17 23:20:35

Afaiu VPNs work?
I meant physically, w/o changing anything about the config - office, dorm, starbucks…

Lumenohr · 2024-12-17 23:23:42

seth wrote:

Afaiu VPNs work?

Yeah they do.

seth wrote:

I meant physically, w/o changing anything about the config - office, dorm, starbucks…

I can try to get some mobile data, hotspot my computer, and then browse the sites if that works.

Lumenohr · 2024-12-18 00:15:11

With the mobile hotspot and using mobile data:
openssl s_client -connect lutris.net:https:

Connecting to 104.21.64.1
CONNECTED(00000003)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R4
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WE1
verify return:1
depth=0 CN=lutris.net
verify return:1
---
Certificate chain
 0 s:CN=lutris.net
   i:C=US, O=Google Trust Services, CN=WE1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Nov 21 00:15:05 2024 GMT; NotAfter: Feb 19 00:15:04 2025 GMT
 1 s:C=US, O=Google Trust Services, CN=WE1
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R4
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R4
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 15 03:43:21 2023 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDoTCCA0igAwIBAgIRANRbsifmPYJ0DYo/h6/JAOAwCgYIKoZIzj0EAwIwOzEL
MAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEMMAoG
A1UEAxMDV0UxMB4XDTI0MTEyMTAwMTUwNVoXDTI1MDIxOTAwMTUwNFowFTETMBEG
A1UEAxMKbHV0cmlzLm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGwKDEds
rtLSXJ2g55IXKKnKOUNAJMWihabO45RfTe/I1OJiZlnu0LXUIMB1IiadkUfkS5dO
ulU9O1Laxxz9nomjggJRMIICTTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUMCTxSO/MpDLNeyE7Ul6y
Z9CcP1gwHwYDVR0jBBgwFoAUkHeSNWfE/6jMqeZ72YB5e8yT+TgwXgYIKwYBBQUH
AQEEUjBQMCcGCCsGAQUFBzABhhtodHRwOi8vby5wa2kuZ29vZy9zL3dlMS8xRnMw
JQYIKwYBBQUHMAKGGWh0dHA6Ly9pLnBraS5nb29nL3dlMS5jcnQwIwYDVR0RBBww
GoIKbHV0cmlzLm5ldIIMKi5sdXRyaXMubmV0MBMGA1UdIAQMMAowCAYGZ4EMAQIB
MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jLnBraS5nb29nL3dlMS84NWYxXy1O
U3Ewdy5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDPEVbu1S58r/OHW9lp
LpvpGnFnSrAX7KwB0lt3zsw7CAAAAZNMSYOpAAAEAwBHMEUCIQCae9sjFk+iDGuU
LYIM/vbW2vohpIStBNmUj5x5J9H4nAIgRRvAbBSXQxKFKLX7CucGas6rf0cOLNg5
I3+FLdwAQFUAdgDgkrP8DB3I52g2H95huZZNClJ4GYpy1nLEsE2lbW9UBAAAAZNM
SYOuAAAEAwBHMEUCIQDJAcVJ1z1T6bSzw2VUR3tic3Ih1EWHsE/woPHpcFA55gIg
L7NnekrW8OTfZSydyTmL5DE2L2mZ1ixv9Jmg+hdzgg8wCgYIKoZIzj0EAwIDRwAw
RAIgb9KLS08AWTjnTC4s44XQJ0Ml5dSomzpN3i2B4BvVKDsCIFhPW44aOnIqfKxY
5P0CE5KH7diXEthfhaXxe4/4lfOi
-----END CERTIFICATE-----
subject=CN=lutris.net
issuer=C=US, O=Google Trust Services, CN=WE1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2822 bytes and written 401 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F09078FC4F2EEB70668A2A5EE954E6008F3C256ED5A90E1CFCA96ADA6F2265D8
    Session-ID-ctx: 
    Resumption PSK: 4108F3E54442DD2ECC968874AFF2CE8E51EF7A2CF6A1652D5769822BFB6221AB2CC179A0D60ABF3B208C538EF6099D71
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - df 3b cc e9 18 04 49 18-2b 34 1b 5e a5 43 f7 b8   .;....I.+4.^.C..
    0010 - 9a f3 43 02 c4 0d 87 7a-36 e9 3b 11 15 92 c5 4c   ..C....z6.;....L
    0020 - 2a be a5 d0 b1 3c d6 1b-a9 69 63 e0 6c ba 65 4e   *....<...ic.l.eN
    0030 - 43 6a 68 c3 c2 36 85 3c-03 14 19 33 31 dd e8 15   Cjh..6.<...31...
    0040 - fb 88 e9 0c b8 10 60 94-bb a3 8f 39 46 ce 6f 31   ......`....9F.o1
    0050 - d4 98 86 a0 19 d4 b5 85-78 42 59 c3 5d dd 52 93   ........xBY.].R.
    0060 - 56 a4 86 5e 81 0a 41 fc-8a 33 5f aa 92 fd 3d 59   V..^..A..3_...=Y
    0070 - 19 65 ef f5 10 89 ea f0-39 77 97 2e ef de 6d 1a   .e......9w....m.
    0080 - 9a 9c da 20 bb 51 4a 2c-f8 c7 a7 53 98 ad 14 31   ... .QJ,...S...1
    0090 - 0b f9 c9 a4 4a 61 48 db-07 9d 2e 72 dd fb 11 43   ....JaH....r...C
    00a0 - 96 d5 2f 38 f8 77 14 a7-dd 14 be 8d e5 61 1b 56   ../8.w.......a.V
    00b0 - c9 2e 84 d9 b5 89 eb 21-0e 95 89 7f 13 ef de c9   .......!........

    Start Time: 1734480806
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 488BB9679B0992AB6B6DAF74C59473D7CECAFBF2E696BEDA4D8BF76B44DDAA87
    Session-ID-ctx: 
    Resumption PSK: FC96B76F5F1DC0323DFB964FA3CCE39279E186CB0FE4082AAEFF5C8A27B098538E75309728A7AF0640FC6044F53AEF8F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - df 3b cc e9 18 04 49 18-2b 34 1b 5e a5 43 f7 b8   .;....I.+4.^.C..
    0010 - 79 e5 bc 8a 44 43 62 02-3d 75 b2 dc 4c 0d 85 8f   y...DCb.=u..L...
    0020 - 2b 0d c5 f8 03 07 35 c8-6b e5 30 4c 6e 98 18 b3   +.....5.k.0Ln...
    0030 - 53 48 03 38 ff 5a 7f 0b-84 0e a2 11 ec 57 5d 25   SH.8.Z.......W]%
    0040 - 33 1d 47 75 43 d5 aa e8-f6 cb ae 4c 27 4b cb 52   3.GuC......L'K.R
    0050 - 45 5d ca d7 30 32 1c 55-48 0a ac 54 b1 0d 77 01   E]..02.UH..T..w.
    0060 - ad 87 92 be 51 69 9c 8c-49 13 3d b0 55 7c fa b6   ....Qi..I.=.U|..
    0070 - bd 44 54 a4 85 29 e8 4e-0f 33 20 66 65 99 be eb   .DT..).N.3 fe...
    0080 - 5a 60 b3 aa f6 43 44 46-d1 0d 4a e2 13 0e d8 b7   Z`...CDF..J.....
    0090 - ab db 00 eb 39 99 f7 73-54 d9 8b c7 d1 a1 e8 59   ....9..sT......Y
    00a0 - b7 f4 15 eb 3f 9e 17 85-34 ff f2 6b 35 ca 8c 5c   ....?...4..k5..\
    00b0 - 30 3e c4 72 e8 ea 7f be-3d 0a 4b 5c 1b c8 8e 7c   0>.r....=.K\...|

    Start Time: 1734480806
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

wget -S -O /dev/null https://lutris.net/

--2024-12-18 08:14:10--  https://lutris.net/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving lutris.net (lutris.net)... 104.21.48.1, 104.21.112.1, 104.21.64.1, ...
Connecting to lutris.net (lutris.net)|104.21.48.1|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Wed, 18 Dec 2024 00:14:12 GMT
  Content-Type: text/html; charset=utf-8
  Transfer-Encoding: chunked
  Connection: keep-alive
  vary: Accept-Encoding
  vary: origin, Cookie
  x-frame-options: DENY
  x-xss-protection: 1
  content-security-policy: frame-ancestors 'self'
  x-content-type-options: nosniff
  strict-transport-security: max-age=31536000; includeSubDomains
  cf-cache-status: DYNAMIC
  Report-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=ZvumFOOpDWiZ894nBO%2FUmSlSwKKo93BYJGAEYJFOe9BYpG1WVW108m3m0mXIkQZiHBmK6zXzmhtksT96gmLx7qwUkcV4dk2P9iSyaYf4gNsbbx9RM0qNWC%2BCSPNp"}],"group":"cf-nel","max_age":604800}
  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
  Server: cloudflare
  CF-RAY: 8f3af38e0af987a0-SIN
  alt-svc: h3=":443"; ma=86400
  server-timing: cfL4;desc="?proto=TCP&rtt=70659&min_rtt=70607&rtt_var=14973&sent=7&recv=9&lost=0&retrans=0&sent_bytes=3110&recv_bytes=744&delivery_rate=61381&cwnd=252&unsent_bytes=0&cid=5e7283ee0aab73e1&ts=1164&x=0"
Length: unspecified [text/html]
Saving to: ‘/dev/null’

/dev/null                               [ <=>                                                                ]   7.51K  --.-KB/s    in 0.002s  

2024-12-18 08:14:12 (4.22 MB/s) - ‘/dev/null’ saved [7690]

Everything seems to work fine, including browsing, with the hotspot but not the home network.

Last edited by Lumenohr (2024-12-18 01:05:20)

seth · 2024-12-18 08:20:51

Everything seems to work fine, including browsing, with the hotspot but not the home network.

Yup. It's not the arch config.
You also had one failure on 104.21.48.1 so it's not you randomly happened to resolve two working IPs after hitting a lot of failures.
I can't tell what your phone is doing differently, but your LAN is cut off from cloudflare.

Cloudflare has an alternative https port, can you

openssl s_client -connect lutris.net:8443

Lumenohr · 2024-12-18 16:04:05

On normal wfi:
openssl s_client -connect lutris.net:8443

Connecting to 104.21.80.1
CONNECTED(00000003)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R4
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WE1
verify return:1
depth=0 CN=lutris.net
verify return:1
---
Certificate chain
 0 s:CN=lutris.net
   i:C=US, O=Google Trust Services, CN=WE1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Nov 21 00:15:05 2024 GMT; NotAfter: Feb 19 00:15:04 2025 GMT
 1 s:C=US, O=Google Trust Services, CN=WE1
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R4
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R4
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 15 03:43:21 2023 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDoTCCA0igAwIBAgIRANRbsifmPYJ0DYo/h6/JAOAwCgYIKoZIzj0EAwIwOzEL
MAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEMMAoG
A1UEAxMDV0UxMB4XDTI0MTEyMTAwMTUwNVoXDTI1MDIxOTAwMTUwNFowFTETMBEG
A1UEAxMKbHV0cmlzLm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGwKDEds
rtLSXJ2g55IXKKnKOUNAJMWihabO45RfTe/I1OJiZlnu0LXUIMB1IiadkUfkS5dO
ulU9O1Laxxz9nomjggJRMIICTTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUMCTxSO/MpDLNeyE7Ul6y
Z9CcP1gwHwYDVR0jBBgwFoAUkHeSNWfE/6jMqeZ72YB5e8yT+TgwXgYIKwYBBQUH
AQEEUjBQMCcGCCsGAQUFBzABhhtodHRwOi8vby5wa2kuZ29vZy9zL3dlMS8xRnMw
JQYIKwYBBQUHMAKGGWh0dHA6Ly9pLnBraS5nb29nL3dlMS5jcnQwIwYDVR0RBBww
GoIKbHV0cmlzLm5ldIIMKi5sdXRyaXMubmV0MBMGA1UdIAQMMAowCAYGZ4EMAQIB
MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jLnBraS5nb29nL3dlMS84NWYxXy1O
U3Ewdy5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDPEVbu1S58r/OHW9lp
LpvpGnFnSrAX7KwB0lt3zsw7CAAAAZNMSYOpAAAEAwBHMEUCIQCae9sjFk+iDGuU
LYIM/vbW2vohpIStBNmUj5x5J9H4nAIgRRvAbBSXQxKFKLX7CucGas6rf0cOLNg5
I3+FLdwAQFUAdgDgkrP8DB3I52g2H95huZZNClJ4GYpy1nLEsE2lbW9UBAAAAZNM
SYOuAAAEAwBHMEUCIQDJAcVJ1z1T6bSzw2VUR3tic3Ih1EWHsE/woPHpcFA55gIg
L7NnekrW8OTfZSydyTmL5DE2L2mZ1ixv9Jmg+hdzgg8wCgYIKoZIzj0EAwIDRwAw
RAIgb9KLS08AWTjnTC4s44XQJ0Ml5dSomzpN3i2B4BvVKDsCIFhPW44aOnIqfKxY
5P0CE5KH7diXEthfhaXxe4/4lfOi
-----END CERTIFICATE-----
subject=CN=lutris.net
issuer=C=US, O=Google Trust Services, CN=WE1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2822 bytes and written 401 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: B18109854822C4568CB9B96245CB9B7374C8FCAEB4096D1B520104789A448C81
    Session-ID-ctx: 
    Resumption PSK: E732E108241C3E499BC374298987C9C24E0E1B345FA26DD40E04C55A738F1AFDB52944DD29FF398CD2B2D41990433892
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64799 (seconds)
    TLS session ticket:
    0000 - 8c 2f 70 30 a8 dc ac de-15 8d c3 d3 c1 4b 32 8f   ./p0.........K2.
    0010 - 87 f4 ec cb 2a 94 3b 73-68 2c 13 ba 0b ff d3 50   ....*.;sh,.....P
    0020 - 48 74 13 9a e5 7b f9 e3-ce 6b 30 c4 a4 5b f7 9c   Ht...{...k0..[..
    0030 - 51 db 92 3d 70 59 45 86-5a 9a 92 d3 cb b9 08 c3   Q..=pYE.Z.......
    0040 - b0 67 b3 89 53 77 7f 64-aa 6d 11 fd 49 3b ae fa   .g..Sw.d.m..I;..
    0050 - b5 7f 65 a1 53 34 e9 84-16 9d a3 d0 22 86 5a cb   ..e.S4......".Z.
    0060 - df eb dc 70 7d 3d cb 9d-1b 00 6d 46 d6 36 48 b3   ...p}=....mF.6H.
    0070 - 82 a2 13 3a 79 6f 1b 5c-f3 d5 77 ff e7 0f a1 51   ...:yo.\..w....Q
    0080 - 04 46 78 6c 1a 19 71 8a-83 5b b0 5e 6b 98 b7 bb   .Fxl..q..[.^k...
    0090 - ec d1 8e 8f c5 2e a5 99-fa ad 82 97 38 80 64 73   ............8.ds
    00a0 - 29 94 47 06 5d 34 a1 4c-8b 11 0f 15 f1 b6 ae d6   ).G.]4.L........
    00b0 - cb 3e 71 4b 6f de f1 02-57 5c de 7e d3 99 18 03   .>qKo...W\.~....

    Start Time: 1734537747
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 14D773A6270745EF3634F18268D89E7EA0FABA182914576C18B13D92DDFC1C25
    Session-ID-ctx: 
    Resumption PSK: 22636178D4123072FB46A86FD2912102A4B68B4D371817FA1B8E6B71991C99DB62E695BC92BF0AA744E4877FF2CF1061
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64799 (seconds)
    TLS session ticket:
    0000 - 8c 2f 70 30 a8 dc ac de-15 8d c3 d3 c1 4b 32 8f   ./p0.........K2.
    0010 - 6c d1 2b 9c 85 99 75 b6-0f 6c 55 29 ec df d4 4f   l.+...u..lU)...O
    0020 - 1c 86 66 c3 44 84 df 00-16 0c bf 24 8e 1c d9 3f   ..f.D......$...?
    0030 - f9 9d bc 8b d5 c4 e6 02-e8 27 2c dd 5a e2 b2 9c   .........',.Z...
    0040 - d0 40 1e aa 3d ef a5 4a-05 99 cf dd 5f c8 88 c0   .@..=..J...._...
    0050 - 85 b6 23 19 ad 1d c1 49-2d 2d 03 24 1a 44 63 1f   ..#....I--.$.Dc.
    0060 - eb bb f3 d2 63 ee e0 91-23 93 66 52 ad f2 c3 3f   ....c...#.fR...?
    0070 - 44 d7 5d 44 ef d0 7d 02-bb 28 4b 96 da 56 e4 26   D.]D..}..(K..V.&
    0080 - 8d d1 ac 81 33 49 12 ca-57 70 92 ed 97 47 5a 6e   ....3I..Wp...GZn
    0090 - 5f 89 78 44 bf 7b a8 4c-7e 79 df be 25 e6 da d7   _.xD.{.L~y..%...
    00a0 - 61 aa 8d 78 66 e5 ce 88-8f 45 66 54 a3 ea ed 50   a..xf....EfT...P
    00b0 - 1a f1 62 73 57 95 f8 d6-87 d6 52 24 1f 2d 67 50   ..bsW.....R$.-gP

    Start Time: 1734537747
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

seth · 2024-12-18 16:27:11

The normal wifi that usually doesn't work?
Somebody or something messes around w/ your :443 traffic? Perhaps some router feature? Adblocker etc?

Lumenohr · 2024-12-18 17:08:53

seth wrote:

The normal wifi that usually doesn't work?

Yep.

seth wrote:

Somebody or something messes around w/ your :443 traffic? Perhaps some router feature? Adblocker etc?

I do have an adblocker, but it seems that if I turn it off then it still doesn't work. Wondering if it's a router feature you mentioned... is there even such a thing?

Arch Linux

#26 2024-12-16 08:19:19

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#27 2024-12-16 08:36:25

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#28 2024-12-16 08:38:56

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#29 2024-12-16 08:44:03

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#30 2024-12-16 13:32:07

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#31 2024-12-16 15:56:03

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#32 2024-12-16 16:05:15

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#33 2024-12-16 16:12:43

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#34 2024-12-16 16:24:36

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#35 2024-12-16 16:28:38

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#36 2024-12-16 17:14:24

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#37 2024-12-17 10:28:27

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#38 2024-12-17 22:18:18

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#39 2024-12-17 22:19:24

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#40 2024-12-17 23:01:26

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#41 2024-12-17 23:06:15

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#42 2024-12-17 23:15:13

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#43 2024-12-17 23:18:11

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#44 2024-12-17 23:20:35

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#45 2024-12-17 23:23:42

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#46 2024-12-18 00:15:11

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#47 2024-12-18 08:20:51

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#48 2024-12-18 16:04:05

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#49 2024-12-18 16:27:11

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

#50 2024-12-18 17:08:53

Re: [Solved]Cannot curl or browse certain websites on a fresh arch install

Board footer