Banned ip 190.2.140.6? i've managing 15 servers under directadmin, 5 vps like this one where there is no longer possibile update Let's encrypt on several domains, thanks

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://kalsaartdistrict.com/

I ran this command: upgrading throught directadmin webpanel

It produced this output: No domains pointing to this server to generate the certificate for.

My web server is (include version): openlitespeed 1.7.14

The operating system my web server runs on is (include version): Ubuntu 20.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): directadmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @Webmart and welcome to the LE community forum :slight_smile:

While we wait for IP ban status (@lestaff), let's have a look at these outputs:
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
curl -I https://acme-v02.api.letsencrypt.org/directory
curl -6 ifconfig.co
certbot --version

2 Likes

Thanks for you reply, please here it is ssh responses:

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
CONNECTED(00000003)

Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

Server certificate
-----BEGIN CERTIFICATE-----
DONE

curl -I https://acme-v02.api.letsencrypt.org/directory
HTTP/2 200
server: nginx
date: Tue, 14 Dec 2021 14:22:11 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0002LBHlU8c0F_dS8M_JgtHg4_dG2mEeU2LWMS15Wlk3cjo
x-frame-options: DENY
strict-transport-security: max-age=604800

curl -6 ipconfig.co
curl: (7) Couldn't connect to server

curl -6 ipconfig.co
curl: (7) Couldn't connect to server
root@totoro:~# certbot --version

Command 'certbot' not found, but can be installed with:

apt install certbot (i'm using Directadmin script in all the other working VPS/dedicated)
Thanks

Well... it all looks like I expected except I thought it was using certbot which it isn't.
But that means (since you can reach the /directory) that your IP is probably NOT being blocked.

So... what could be the problem?
I think it might have to do with the ACME client OR something in the O/S [like: curl].
Then let's check on those:

  • Which ACME client does it use?
    [maybe something like auto-ssl]
  • What version of curl does it have?
    curl --version
  • and while we're there...
    apt install ca-certificates
    [show that output]
1 Like

Sorry... that should have been:
curl -6 ifconfig.co

[thanks @MikeMcQ :heart:]

I didn't notice because I expected it to fail [for other reason]

1 Like

root@totoro:~# curl --version
curl 7.80.0 (x86_64-pc-linux-gnu) libcurl/7.80.0 OpenSSL/1.1.1f zlib/1.2.11 zstd /1.4.4 nghttp2/1.40.0
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop 3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM _WB SSL TLS-SRP UnixSockets zstd

root@totoro:~# apt install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20210119~20.04.2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Directadmin may use LEGO

1 Like

root@totoro:~# curl -6 ifconfig.co
curl: (7) Couldn't connect to server
root@totoro:~#

1 Like

Well, so far it all looks good.
The problem must be within the LEGO implementation of (whatever) ACME client.

Is there any update to directadmin ?

1 Like

Other guys lamenting same issue with Ubuntu 20, on other mine VPS i've the same server configuration with no issue.
Thanks!
Also everything was updated to lastest.

1 Like

Are you sure your IPv6 is working?

The Let's Encrypt server will favor IPv6 if you have DNS set and you do:

nslookup kalsaartdistrict.com

Non-authoritative answer:
Name:   kalsaartdistrict.com
Address: 190.2.140.6
Name:   kalsaartdistrict.com
Address: 2a00:7c80:0:128::1

But, your curl -6 ifconfig.co could not reach that site and it should if IPv6 were working well.

Try curl -4 ifconfig.co to confirm you can reach that site at all. It is just a simple site that returns the public IP of requester which should match your DNS.

2 Likes

Too funny! Those IPs aren't even on the same continent.
[I suppose the AAAA address is just old information that got overlooked during their last HSP change]

2 Likes

Something surely wrong with their IPv6 but my fave geo db says they are both in Netherlands fwiw.

1 Like

hmm...
ARIN says the IPv4 belongs to LACNIC.
LACNIC says it was "reallocated".
I read that as "SOLD to the highest bidder!"
LOL

But you are correct.

2 Likes

https://ip6.nl/#!kalsaartdistrict.com

ipv6 address is working too, also i've tried both to change nameserver service (only for this domain, now is cloudflare without any proxy) and remove ipv6 on vps. Nothing to do.

Maybe within your region, but it fails from my end:

curl -v kalsaartdistrict.com
* Rebuilt URL to: kalsaartdistrict.com/
*   Trying 2a00:7c80:0:128::1...
* TCP_NODELAY set
* Connected to kalsaartdistrict.com (2a00:7c80:0:128::1) port 80 (#0)
> GET / HTTP/1.1
> Host: kalsaartdistrict.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
1 Like

HTTPS via IPv6 does work:

curl -Ii https://kalsaartdistrict.com/
HTTP/2 200
etag: "1e8e-60eee67e-5c050d;;;"
last-modified: Wed, 14 Jul 2021 13:28:30 GMT
content-type: text/html
content-length: 7822
accept-ranges: bytes
date: Tue, 14 Dec 2021 19:32:07 GMT
server: LiteSpeed
strict-transport-security: max-age=15552000
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

So it is not likely a routing issue.
More likely a web server configuration issue.

1 Like

I cannot reach your site with IPv6 (not http or https) (US based). Both timeout.

curl -6 http://kalsaartdistrict.com
curl -6 https://kalsaartdistrict.com
curl: (28) Failed to connect to kalsaartdistrict.com port 443: Connection timed out

And, your earlier attempt to use IPv6 with curl to reach ifconfig.co failed. So, IPv6 outbound does not seem to work.

Can you try these again?

curl -4 ifconfig.co
curl -6 ifconfig.co

Do those IP match the DNS?

2 Likes

Please show:
ifconfig | grep -Ei 'add|inet'

And a follow-up question:
[if the output is as I expect]

How do the IPv6 requests reach your IPv4 only system?
[there must be some IPv6toIPv4 NAT device in line]

2 Likes

root@totoro:~# ifconfig | grep -Ei 'add|inet'
inet 190.2.140.6 netmask 255.255.255.0 broadcast 190.2.140.255
inet6 fe80::7c7a:78ff:fe20:b9e2 prefixlen 64 scopeid 0x20
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
root@totoro:~#

OK it is capable of IPv6, but has no routable IPv6 address.

Maybe my eyes deceived me...
Now I'm not sure IPv6 ever reached your site (neither by HTTP nor HTTPS).

2 Likes