Blocked? Curl returned with 35! Same problem

Egor · January 26, 2023, 9:10am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: b24.vplab.ru

I ran this command: create LE certificate from Bitrix

It produced this output:

"non-zero return code", "rc": 1, "start": "2023-01-25 14:33:52.234902", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}fatal: [da2171.timeweb.ru]: FAILED! => {"changed": true, "cmd": "/home/bitrix/dehydrated/dehydrated -c --force > /home/bitrix/dehydrated_update.log 2>&1", "delta": "0:00:33.402226", "end": "2023-01-25 14:34:25.637128", "msg": "non-zero return code", "rc": 1, "start": "2023-01-25 14:33:52.234902", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

My web server is (include version): Bitrix Env (Apache+Ansible)

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: Selectel

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Bitrix Env

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): dehydrated

[root@da2171 ~]# traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  srvnoadm.tmweb.ru (92.53.107.9)  0.852 ms  0.797 ms  0.744 ms
 2  spb-cv1-asbr-r2.timeweb.ru (94.228.119.200)  0.992 ms spb-cv1-asbr-r1.timeweb.ru (94.228.119.194)  0.516 ms  0.718 ms
 3  ae0-3002.rt2.spb.cloud-ix.net (31.28.18.102)  2.873 ms  2.857 ms  3.059 ms
 4  * * *
 5  * * *
...
29  * * *
30  * * *

rg305 · January 26, 2023, 10:01am

Hi @Egor, and welcome to the LE community forum

What's that about?

Try:
traceroute -T -p 443 acme-v02.api.letsencrypt.org
curl -4Ii https://acme-v02.api.letsencrypt.org/

Egor · January 26, 2023, 11:04am

[root@da2171 ~]# traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  srvnoadm.tmweb.ru (92.53.107.9)  0.709 ms  0.653 ms  0.843 ms
 2  spb-cv1-asbr-r1.timeweb.ru (94.228.119.194)  0.580 ms  0.581 ms  0.756 ms
 3  ae0-3002.rt2.spb.cloud-ix.net (31.28.18.102)  3.580 ms  3.578 ms  3.793 ms
 4  * * *
 5  * * de-cix-frankfurt.as13335.net (80.81.194.180)  43.883 ms
 6  162.158.84.53 (162.158.84.53)  46.363 ms  45.919 ms 172.70.248.3 (172.70.248.3)  38.134 ms
 7  172.65.32.248 (172.65.32.248)  35.172 ms  38.235 ms  35.082 ms

[root@da2171 ~]# curl -4Ii https://acme-v02.api.letsencrypt.org/
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 26 Jan 2023 11:02:46 GMT
Content-Type: text/html
Content-Length: 1540
Last-Modified: Thu, 23 Jun 2022 21:25:45 GMT
Connection: keep-alive
ETag: "62b4da59-604"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

rg305 · January 26, 2023, 4:39pm

Well, that answers your blocked question.
Your IP is not being blocked.

What does this name (below) have to with your domain?

Bruce5051 · January 26, 2023, 5:01pm

Let's Debug for the HTTP-01 Challenge is showing AAAANotWorking ERROR and IssueFromLetsEncrypt ERROR

b24.vplab.ru has an AAAA (IPv6) record (2a03:6f01:1:7f99::2) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.

A test authorization for b24.vplab.ru to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

This online tool https://unboundtest.com/ results for A and AAAA records; both exist.
https://unboundtest.com/m/A/b24.vplab.ru/JBWEET2W
https://unboundtest.com/m/AAAA/b24.vplab.ru/TIXAFEXD

Best Practice - Keep Port 80 Open

Egor · January 27, 2023, 6:22am

No, its gateway of my VDS

My domain is

my ip is: 94.228.127.153

rg305 · January 27, 2023, 6:30am

I don't understand why it shows up in the error message.

Egor · January 27, 2023, 6:49am

I decided to delete the AAAA record. I'll take a look. will it help...

Bruce5051 · January 27, 2023, 3:12pm

I would say YES!
There was a certificate issued on 2023-01-27, list of issued certificates crt.sh | b24.vplab.ru
Let's Debug is returning OK for the HTTP-01 Challenge https://letsdebug.net/b24.vplab.ru/1351946
SSL Server Test: b24.vplab.ru (Powered by Qualys SSL Labs) is showing an A with the certificate issued on 2023-01-27.

Egor · January 28, 2023, 5:34am

I decided to delete the AAAA record.
and will it help!
THX for all

system · February 27, 2023, 5:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.