405 Method not Allowed - DOSarrest Internet Security


#1

Using ACME v.2, I am getting “405 Method not Allowed - DOSarrest Internet Security” from the Let’s Encrypt server. What is this? I can not get the wildcard sertificate.

I am using the following command and getting the above mentioned respond:

./acme.sh —issue —dns —force -d *.paintinggallery.pro -d paintinggallery.pro


#2

@jsha Is this an LE sided problem??


#3

Yes, this is the respond from their server.


#4

Do you get the same error with v1? Can you provide the full output from that command?


#5

There is no problem with Acme v/1 since it is embeded into the ISP Lite 5 control panel, and I am not using any comand in Acme v/1 directly.

Here is the full log for you, mr. boss.

out.txt (35.9 KB)

PS I deleted acme v/2 and is using the sslforfree service instead because it is working ok.


#6

That is odd! I’m not sure why you would be getting an error from DOSarrest, since it’s not a product we use. Do you use DOSarrest? Are you running this command from a personal PC or on a server?


#7

Most probably this is my internet provider. I am using home server.


#8

I checked my Internet provider. They responded that they are not using DOSarrest. Are you sure regarding your server plugins or hoster restrictions?


#9

Could you show me what the output of the following is?

openssl s_client -connect acme-v02.api.letsencrypt.org:443 -servername acme-v02.api.letsencrypt.org -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -serial -hash

Unless the output of acme.sh is extremely misleading, it looks like there is an interception proxy sitting somewhere between you and acme-v02.


#10

image_2018-03-21_14-40-19


#11

I am in correspondence with the DOSarrest Support support@dosarrest.com to clearify this issue.


#12

I’m not going to transcribe that entire serial number, but that does look like the correct certificate.

https://crt.sh/?id=356427568

Key word “look”: an MITM fake CA is perfectly capable of imitating a real certificate’s CN, serial number, and issuer details, though I don’t think they typically bother?


#13

Apparently the hash is over the subject name, whoops, should have used the modulus :frowning: .

Really odd.


#14

Dosarrest support responded:

“The log file you have provided was from March 16th. I have gone through
the logs and found that this IP did access an IP under our service
related to domain registration. It is like that part of the process
encountered a domain that had expired and was registered though that
clients service. I do not see any blocking action related to this
request since the events on the 16th reaching our service.”


#15

My ip 88.200.167.9 is also banned on their contacts page: https://www.dosarrest.com/contact-sales/
And I do not know why. I am trying to get the answer from their support.

UPD:
“Currently this page does not allow IPs from Russia. The block is a Geo-IP based block, not a specific ACL block. Please feel free to forward any questions through support@dosarrest.com as we will be able to work with you on any network related issues faster though this contact.”


#16

Can DOSarrest tell you what domain or URL was being accessed?

Perhaps one of the acme.sh DNS plugins, or a second instance of acme.sh doing something entirely different, ran at the same time, and made requests to some other service? And this isn’t about https://acme-v02.api.letsencrypt.org/ at all?

I don’t think any of acme.sh’s main DNS plugin API endpoints use DOSarrest, but I could be wrong, and I didn’t check the Lexicon plugins, and it could be something custom.

(Edit: Spelling issue.)


#17

Your reply was forwarded to the DOSarrest support.


#18

…Did you quote the part where I capitalized their name wrong? :zipper_mouth_face:


#19

I think they will understand because I am telling the whole story to them providing the screenshot and the url to this page.


#20