Hi folks,
I recently spent quite a bit of time troubleshooting why my Hentai@Home (H@H) client wasn't running properly on an Aliyun (Alibaba Cloud) VPS and ultimately hit a dead end. Thought I'd share my findings here to save others from going through the same headache.
TL;DRRunning H@H on a mainland China VPS hosted by large providers (like Aliyun or Tencent) isn't practical because the hath.network domain hasn't completed the required filing (备案) with MIIT. Aliyun's firewall specifically blocks TLS/SSL connections to unfiled domains, causing H@H's external connection checks to fail. Unfortunately, there's no workaround.
The IssueThe H@H client appeared to launch normally, listened on port 1145, and applied configuration settings without issue. However, it consistently failed the external connectivity test with this error:
CODE
[WARN] Startup Failure: FAIL_CONNECT_TEST:OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxxxxxx.xxxxxxxxxxxx.hath.network:1145
The full message suggested checking firewall or NAT configuration, but those were already correctly configured.
What I Checked Initially- Confirmed port 1145 was open and actively listening (netstat).
- Tested both Docker (using TDCPF/hath) and native H@H client—both had the same connectivity failure.
- UFW was disabled; Aliyun Security Group explicitly allowed the port.
- A basic HTTP server worked perfectly fine over the same port when accessed directly by IP from a browser.
- Identical configurations passed when tested on a Vultr VPS.
Debugging and ReproducingTo investigate further, I extracted the certificate and key from hathcert.p12 using these commands:
CODE
openssl pkcs12 -in hathcert.p12 -nocerts -out cert.key -nodes
openssl pkcs12 -in hathcert.p12 -clcerts -nokeys -out cert.crt
Note: If you encounter an error about unsupported algorithms (RC2-40-CBC), you can resolve it by using an older OpenSSL version in Docker:
CODE
docker run -v $PWD:/data -it debian:bullseye bash
# Inside container
apt update && apt install -y openssl
cd /data
openssl pkcs12 -in hathcert.p12 -nocerts -out cert.key -nodes
openssl pkcs12 -in hathcert.p12 -clcerts -nokeys -out cert.crt
Then I set up a simple Python HTTPS server using these certificates on another allowed port to simulate the client:
CODE
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
class SimpleHandler(BaseHTTPRequestHandler):
def do_GET(self):
content = b"<html><body><h1>Hello from port 1146!</h1></body></html>"
self.send_response(200)
self.send_header("Content-Type", "text/html")
self.send_header("Content-Length", str(len(content)))
self.end_headers()
self.wfile.write(content)
if __name__ == "__main__":
server_address = ('0.0.0.0', 1146)
httpd = HTTPServer(server_address, SimpleHandler)
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile="data/cert.crt", keyfile="data/cert.key")
httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
print("Serving HTTPS on port 1146...")
httpd.serve_forever()
Curl test from external machine got "curl: (35) Recv failure: Connection reset by peer". OpenSSL connection test also confirmed a silent reset during TLS handshake with "unexpected eof while reading... no peer certificate available"
This indicates Aliyun's firewall actively resets TLS connections to unfiled domains.
Additional ObservationsPlain HTTP access triggered an Aliyun warning page stating the domain hadn’t completed the required filing, aligning perfectly with TLS connection blockage.
Initially, the H@H connection test failed immediately, but subsequent manual checks with OpenSSL handshake or a simple Python HTTP server (both based on IP) worked without issue. However, the moment a Python HTTPS server was introduced, the connection was instantly blocked.
ConclusionAliyun strictly enforces domain filing requirements by blocking TLS connections to unfiled domains, making it impossible to run H@H successfully on their platform. The best solution is to avoid using VPS providers in mainland China (Aliyun, Tencent, etc.) for H@H hosting and instead use an offshore VPS or home servers.
Hope this saves you a headache!
Aliyun VPS Blocking TLS Connections for H@H, Running H@H on Aliyun VPS isn't practical
Mar 24 2025, 14:46
