Blocked by cloudflare?

killruana · June 10, 2021, 5:12pm

Hi,

As you can see in this traceroute log, I cannot reach acme-v02.api.letsencrypt.org 2. Is Cloudflare blocking me? What I can do?

traceroute acme-v02.api.letsencrypt.org 2
traceroute to ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248), 64 hops max, 42 byte packets
 1  192.168.0.1 (192.168.0.1)  0.826 ms  0.987 ms  3.097 ms
 2  10.36.192.1 (10.36.192.1)  18.363 ms  12.764 ms  8.192 ms
 3  185.252.245.213.rev.sfr.net (213.245.252.185)  12.096 ms  7.078 ms  8.178 ms
 4  253.237.154.77.rev.sfr.net (77.154.237.253)  13.729 ms 1.238.154.77.rev.sfr.net (77.154.238.1)  8.066 ms 253.237.154.77.rev.sfr.net (77.154.237.253)  13.122 ms
 5  129.10.136.77.rev.sfr.net (77.136.10.129)  22.778 ms  21.042 ms  25.949 ms
 6  129.10.136.77.rev.sfr.net (77.136.10.129)  21.701 ms  20.975 ms  32.161 ms
 7  equinix-paris.cloudflare.com (195.42.144.143)  21.326 ms  22.789 ms  22.199 ms
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *

My domain is:
slaanesh.org

I ran this command:
doas acme-client -v slaanesh.org

It produced this output:

doas (killruana@harvest.slaanesh.org) password: 
acme-client: /etc/ssl/slaanesh.org.fullchain.pem: certificate renewable: 26 days left
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: 172.65.32.248: connect: Operation timed out
acme-client: https://acme-v02.api.letsencrypt.org/directory: bad comm
acme-client: bad exit: netproc(86263): 1

My web server is (include version):
nginx 1.18.0

The operating system my web server runs on is (include version):
OpenBSD 6.9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): "6.9"

Osiris · June 10, 2021, 5:38pm

When using traceroutes without any other options, I too am getting those timeouts from a certain hop. However, if I run the traceroute using TCP packets with port 443 as destination, I'm getting a perfectly fine traceroute:

osiris@erazer ~ $ sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  4.244 ms  4.226 ms  4.222 ms
 2  xxx.xs4all.net (x.x.x.x)  13.488 ms  13.483 ms  13.478 ms
 3  xxx.xs4all.net (x.x.x.x)  15.814 ms  15.810 ms xxx.xs4all.net (x.x.x.x)  15.807 ms
 4  0.et-1-1-0.xr1.sara.xs4all.net (194.109.5.1)  15.803 ms 0.et-1-1-0.xr1.tc2.xs4all.net (194.109.5.7)  17.188 ms 0.et-7-1-0.xr1.sara.xs4all.net (194.109.5.3)  17.184 ms
 5  ams-ix.as13335.net (80.249.211.140)  20.330 ms  28.057 ms  21.453 ms
 6  172.65.32.248 (172.65.32.248)  20.314 ms  12.885 ms  14.616 ms
osiris@erazer ~ $

I suggest you try that traceroute too, which might be more insightful.

killruana · June 10, 2021, 5:50pm

$  sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.1)  12.277 ms  12.247 ms  12.240 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
$

$ sudo traceroute -T -p 443 letsencrypt.org
traceroute to letsencrypt.org (18.159.128.50), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.1)  14.501 ms  14.463 ms  14.453 ms
 2  10.36.192.1 (10.36.192.1)  37.511 ms  37.503 ms  37.495 ms
 3  185.252.245.213.rev.sfr.net (213.245.252.185)  42.495 ms  42.487 ms  42.468 ms
 4  1.238.154.77.rev.sfr.net (77.154.238.1)  43.462 ms 253.237.154.77.rev.sfr.net (77.154.237.253)  55.649 ms *
 5  * * *
 6  101.216.129.77.rev.sfr.net (77.129.216.101)  66.194 ms  53.350 ms  55.218 ms
 7  99.83.65.104 (99.83.65.104)  55.156 ms  25.994 ms  29.036 ms
 8  52.46.95.100 (52.46.95.100)  29.914 ms 52.46.95.92 (52.46.95.92)  61.599 ms 52.46.95.100 (52.46.95.100)  61.569 ms
 9  52.93.16.97 (52.93.16.97)  61.556 ms  61.549 ms 52.93.16.29 (52.93.16.29)  61.543 ms
10  * * *
11  52.93.134.137 (52.93.134.137)  61.505 ms 52.93.135.7 (52.93.135.7)  61.478 ms *
12  * * *
13  52.93.130.225 (52.93.130.225)  66.012 ms * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * ec2-18-159-128-50.eu-central-1.compute.amazonaws.com (18.159.128.50)  38.128 ms  37.696 ms

Osiris · June 10, 2021, 5:53pm

killruana:

$  sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.1)  12.277 ms  12.247 ms  12.240 ms
 2  * * *

This suggests the blocking is somewhere very close to your own internet access point, maybe even your own router or internet service provider?

system · July 10, 2021, 5:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.