And on Ubuntu I did sudo apt install traceroute to install traceroute.
$ traceroute -V
Modern traceroute for Linux, version 2.1.0
Copyright (c) 2016 Dmitry Butskoy, License: GPL v2 or any later
1 Like
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 23-94-3-65-host.colocrossing.com (23.94.3.65) 1.176 ms 1.224 ms 1.166 ms
2 10.2.2.33 (10.2.2.33) 0.289 ms 0.490 ms 0.390 ms
3 dls-b1-link.ip.twelve99.net (62.115.144.112) 0.496 ms 0.482 ms dls-b1-link.ip.twelve99.net (62.115.146.152) 0.452 ms
4 dls-b23-link.ip.twelve99.net (62.115.113.84) 1.062 ms 1.066 ms 1.035 ms
5 cloudflare-svc085585-ic375749.ip.twelve99-cust.net (80.239.132.247) 16.224 ms 12.483 ms 16.195 ms
6 172.71.172.4 (172.71.172.4) 1.299 ms 141.101.74.100 (141.101.74.100) 2.232 ms 141.101.74.102 (141.101.74.102) 2.102 ms
7 172.65.32.248 (172.65.32.248) 1.134 ms 1.330 ms 1.135 ms
Normal user > tmux > su doesn't work it seems, you have to really login as root. Interesting.
1 Like
That shows us that you can successfully connect out to acme-v02.api.letsencrypt.org. So the only thing left is that a Let's Encrypt, likely the primary would be my guess, that isn't connecting back to you.
At this point kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.
1 Like
Well, we already knew that Bruce because certbot was able to make the request 
4 Likes
I have two A records, one is catona.cloud and the other is the wildcard *.catona.cloud. This couldn't possibly be the problem, right? I think certbot can't issue for wildcards but I'm only trying to issue to catona.cloud and www.catona.cloud.
I will open a ticked with the provider.
@miu When you talk with your provider you can tell them the request that is lost came from / through Cloudflare's Magic Transit
4 Likes
yes, you could use a DNS challenge to work around the problem you are having with the HTTP challenge. And, certbot does support that.
4 Likes
Also Let's Encrypt isn't the only choice for Free ACME Certificates.
3 Likes
Racknerd says they don't have any kind of firewall or DDoS protection (it's a cheap server, I would be surprised if they did).
I'm going to try ZeroSSL with certbot, let's see if it works or if we can narrow this down.
1 Like
That is not part of the problem.
4 Likes
ZeroSSL's free tier only allows for a very limited number of domains and no wildcards. Using acme.sh didn't solve the problem either.
I ended up using the DNS challenge, which has the added benefit of supporting wildcards.
I wrote a short tutorial on how to do it: Let's Encrypt Wildcard Domains with DNS Challenge and Alpine Linux | Meow464's Blog
5 Likes
Using ACME, even ZeroSSL should have many hosts per cert and wildcards. Unless they recently changed their policy, they have had some performance issues I believe..
Edit: Their own ACME documentation still says:
By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards.
But using acme-dns to automate the DNS challenge is a very good solution too, so that's fine too
4 Likes
Using ACME, even ZeroSSL should have many hosts per cert and wildcards. Unless they recently changed their policy, they have had some performance issues I believe..
Thanks for letting me know, I tried to use the web UI and they asked for a premium account to add more domains. Just assumed it was their policy.
3 Likes
Nope, those are separate entities, the webinterface and the ACME endpoint, with separate limitations. E.g., with their webinterface, you can issue certs for IP addresses (IPv4 only, for some reason IPv6 doesn't work when validating on their end...), but not using ACME.
5 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.