API connection issues

We are small hosting provider and we have some issues with connection to acme-v02.api.letsencrypt.org (172.65.32.248). Our hosting server have several ISP uplinks, but we can not get a certificate using one of them (masterhost.ru):

$ LANG=C wget https://acme-v02.api.letsencrypt.org/directory --timeout 10 -4
--2021-03-09 09:32:43-- https://acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 172.65.32.248
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443... failed: Connection timed out.

It possible to switch route to another one (excepto.ru) and then it does work:
$ LANG=C wget https://acme-v02.api.letsencrypt.org/directory --timeout 10 -4
--2021-03-09 09:33:22-- https://acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 172.65.32.248
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 658 [application/json]
Saving to: `directory.1'

Strange this is that same symptoms are seen on other server of ours, which was never used for SSL retreival:
$ LANG=C wget https://acme-v02.api.letsencrypt.org/directory -4 --timeout 10
--2021-03-09 09:44:52-- https://acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 172.65.32.248
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443... failed: Connection timed out.

Is it possible, that entire masterhost.ru subnet (87.242.72.0 - 87.242.79.255) is firewalled somewhere?
If yes, how can we "unsuspend" our IPs to be able to get SSL via this ISP?

We don't seem to be blocking that IP range, so some other kind of connectivity issue is likely here.

Perhaps you could tell us who to contact then? Should we poke our ISP or Cloudflare (traceroute stops there)?

$ traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 msk-ar-9-vl110.masterhost.ru (217.16.18.3) 14.763 ms 14.841 ms 14.909 ms
2 90.156.231.57 (90.156.231.57) 14.863 ms 15.147 ms 15.160 ms
3 217.16.29.63 (217.16.29.63) 16.322 ms 21.755 ms 22.058 ms
4 ae12-627.RT1.M9.MSK.RU.retn.net (87.245.255.142) 21.896 ms 21.971 ms 21.973 ms
5 GW-CloudFlare.retn.net (87.245.255.223) 22.086 ms 21.929 ms 21.999 ms
6 * * *

Your ISP (masterhost) is probably the next place to follow up. Cloudflare doesn't tend to firewall off IP space; I think it's more likely that the return packets from Cloudflare's network are getting dropped somewhere along the way back to you. If they don't find anything, then please let us know.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.