Can my IP is blocked?

Hello!

When I try to issue a certificate, I get the following error:

[Tue Jun  9 05:01:25 AM EDT 2026] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Tue Jun  9 05:01:25 AM EDT 2026] Here is the curl dump log:
[Tue Jun  9 05:01:25 AM EDT 2026] == Info: Host acme-v02.api.letsencrypt.org:443 was resolved.
== Info: IPv6: (none)
== Info: IPv4: 172.65.32.248
== Info:   Trying 172.65.32.248:443...
== Info: connect to 172.65.32.248 port 443 from 192.168.151.231 port 33220 failed: Connection timed out
== Info: Failed to connect to acme-v02.api.letsencrypt.org port 443 after 133656 ms: Could not connect to server
== Info: closing connection #0

My ip: 5.189.243.153

ping -c 10 acme-v02.api.letsencrypt.org

PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.

--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9195ms

nslookup acme-v02.api.letsencrypt.org

Server:		192.168.151.8
Address:	192.168.151.8#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org	canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org	canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name:	ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248
Name:	ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c

curl -Ii https://acme-v02.api.letsencrypt.org/

HTTP/2 200 
server: nginx
date: Tue, 09 Jun 2026 08:53:20 GMT
content-type: text/html
content-length: 1448
last-modified: Wed, 28 May 2025 16:28:47 GMT
etag: "683739bf-5a8"
x-frame-options: DENY
strict-transport-security: max-age=604800

traceroute -T -p 443 acme-v02.api.letsencrypt.org

traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  192.168.151.6 (192.168.151.6)  1.477 ms  3.271 ms  3.345 ms
 2  97.199.189.5.rightside.ru (5.189.199.97)  7.741 ms  7.576 ms  7.524 ms
 3  172.29.129.202 (172.29.129.202)  3.107 ms  3.156 ms  3.226 ms
 4  27.197.82.185.maxima.best (185.82.197.27)  3.292 ms  1.553 ms  1.450 ms
 5  * * *
 6  * * *
 7  162.158.84.190 (162.158.84.190)  89.061 ms  88.892 ms 178.176.142.187 (178.176.142.187)  111.317 ms
 8  * 162.158.84.79 (162.158.84.79)  88.946 ms  88.123 ms
 9  * 162.158.84.251 (162.158.84.251)  88.511 ms *
10  172.65.32.248 (172.65.32.248)  88.998 ms  88.913 ms *

Please help me =)

Can you be a lot more specific about how you're trying to issue a certificate? The exact version of the exact program you're using, and the complete command line you're running?

Well, that looks like that system can't connect. This wouldn't be a block on Let's Encrypt's side, but a problem with routing or a firewall.

But that direct curl command looks like it can connect. That makes me think that the system you ran that test command on is a different system than the one you're trying to get a certificate from, or at least has a different networking configuration. (Maybe a proxy configuration, maybe some sort of container setup, etc.)

It's hard to give more specific advice, but it looks like whatever system is trying to get a certificate doesn't actually have Internet access. Can it connect to other servers?

./acme.sh --issue --dns dns_selectel -d sdesk.my.dom --server letsencrypt --debug 2

i can ping another ip from this pool:

ping 172.65.32.249
PING 172.65.32.249 (172.65.32.249) 56(84) bytes of data.
64 bytes from 172.65.32.249: icmp_seq=1 ttl=55 time=89.0 ms
64 bytes from 172.65.32.249: icmp_seq=2 ttl=55 time=88.8 ms
64 bytes from 172.65.32.249: icmp_seq=3 ttl=55 time=89.0 ms
^C
--- 172.65.32.249 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 88.814/88.938/89.033/0.091 ms
ping google.com
PING google.com (142.251.142.238) 56(84) bytes of data.
64 bytes from lcarnb-ah-in-f14.1e100.net (142.251.142.238): icmp_seq=1 ttl=116 time=75.9 ms
64 bytes from lcarnb-ah-in-f14.1e100.net (142.251.142.238): icmp_seq=2 ttl=116 time=75.7 ms
64 bytes from lcarnb-ah-in-f14.1e100.net (142.251.142.238): icmp_seq=3 ttl=116 time=75.5 ms
64 bytes from lcarnb-ah-in-f14.1e100.net (142.251.142.238): icmp_seq=4 ttl=116 time=76.0 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 75.476/75.743/75.983/0.193 ms

version of acme.sh programm:

./acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.1.4

Would you show result of this?

curl https://acme-v02.api.letsencrypt.org/directory

This is the actual directory endpoint and uses GET rather than HEAD request like you used earlier

curl https://acme-v02.api.letsencrypt.org/directory

curl: (28) Failed to connect to acme-v02.api.letsencrypt.org port 443 after 134001 ms: Could not connect to server

curl https://acme-v02.api.letsencrypt.org

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Boulder: The Let's Encrypt CA</title>

  <style type="text/css">
    header { display: flex; max-height: 30vh; flex-wrap: wrap; margin-bottom: 10vh; }
    header img { display: flex; max-height: 20vh; align-content: flex-end; margin-right: 20px; }
  </style>
</head>

<body>
  <header>
    <section>
      <img src="/static/images/LE-Logo-LockOnly.svg"/>
    </section>
    <section>
      <h1>Boulder<br>
      <small>The Let's Encrypt CA</small></h1>
    </section>
  </header>

  <section>
    <p>This is an <a href="https://tools.ietf.org/html/rfc8555">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</p>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/docs"><tt>https://letsencrypt.org/docs</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v02.api.letsencrypt.org/directory"><tt>https://acme-v02.api.letsencrypt.org/directory</tt></a>.</p>
  </section>

  <footer>
      <p>
        <a href="https://letsencrypt.status.io" title="Status">Service Status (letsencrypt.status.io)</a> |
      </p>
  </footer>

</body>
</html>

Well, that's interesting. It looks like there's some system between yours and Let's Encrypt's which is specifically trying to block the API directory endpoint‽

Can you try some of these, to get the full verbose output:

curl -v https://acme-v02.api.letsencrypt.org
curl -v https://acme-v02.api.letsencrypt.org/directory
curl -v https://valid.x1.test-certs.letsencrypt.org/
curl -v https://acme-v02.api.letsencrypt.org/acme/renewal-info/Hy81vkYUgs1Asa55LFV4-vfUaPs.Bn-YENv9T4bV5FfcfT9XGXsO

Just trying to see what exactly is and isn't blocked, and if the certificate being returned indicates something being intercepted.

I have a suspicion that this is DPI working on one of the backbone providers.

curl -v https://acme-v02.api.letsencrypt.org
* Host acme-v02.api.letsencrypt.org:443 was resolved.
* IPv6: (none)
* IPv4: 172.65.32.248
*   Trying 172.65.32.248:443...
* connect to 172.65.32.248 port 443 from 192.168.151.231 port 55402 failed: Connection timed out
* Failed to connect to acme-v02.api.letsencrypt.org port 443 after 134661 ms: Could not connect to server
* closing connection #0
curl: (28) Failed to connect to acme-v02.api.letsencrypt.org port 443 after 134661 ms: Could not connect to server

curl -v https://acme-v02.api.letsencrypt.org/directory
* Host acme-v02.api.letsencrypt.org:443 was resolved.
* IPv6: (none)
* IPv4: 172.65.32.248
*   Trying 172.65.32.248:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May 30 22:59:32 2026 GMT
*  expire date: Aug 28 22:59:31 2026 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=YE2
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 3: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://acme-v02.api.letsencrypt.org/directory
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: acme-v02.api.letsencrypt.org]
* [HTTP/2] [1] [:path: /directory]
* [HTTP/2] [1] [user-agent: curl/8.14.1]
* [HTTP/2] [1] [accept: */*]
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/8.14.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< server: nginx
< date: Tue, 09 Jun 2026 14:10:38 GMT
< content-type: application/json
< content-length: 1031
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
< 
{
  "bZpJgMIfOu4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived",
      "tlsclient": "https://letsencrypt.org/docs/profiles#tlsclient",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/acme/renewal-info",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

curl -v https://valid.x1.test-certs.letsencrypt.org/
* Host valid.x1.test-certs.letsencrypt.org:443 was resolved.
* IPv6: (none)
* IPv4: 52.24.183.97, 52.34.89.55, 54.189.78.235
*   Trying 52.24.183.97:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519MLKEM768 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: 
*  start date: Jun  8 14:50:51 2026 GMT
*  expire date: Jun 15 06:50:50 2026 GMT
*  subjectAltName: host "valid.x1.test-certs.letsencrypt.org" matched cert's "valid.x1.test-certs.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=YR1
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 3: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to valid.x1.test-certs.letsencrypt.org (52.24.183.97) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://valid.x1.test-certs.letsencrypt.org/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: valid.x1.test-certs.letsencrypt.org]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.14.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: valid.x1.test-certs.letsencrypt.org
> User-Agent: curl/8.14.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 200 
< content-type: text/plain; charset=utf-8
< content-length: 1938
< date: Tue, 09 Jun 2026 14:12:02 GMT
< 
# valid.x1.test-certs.letsencrypt.org

## Test Web Page

This test website, valid.x1.test-certs.letsencrypt.org, is intended for
testing compatibility with Let's Encrypt certificates.

It is using a certificate issued by ISRG Root X1.

The certificate is valid.

## More Information

Find out more about Let's Encrypt at our homepage, https://letsencrypt.org/.

Other test websites and information about our certificate hierarchies is
available on our Chains of Trust documentation page:

https://letsencrypt.org/certificates/               ##
                                                    ##
                                           ##                ##
                                            ##              ##
                                                  ######
                                                ##########
                                       ####    ###      ###    ####
                                               ###      ###
 ###                        ###             ##################
 ###                   ###   ##             ##################
 ###         #####   #######    #####       #######    #######
 ###       ###   ###   ###     ###          ########  ########
 ###       #########   ###      #####       ########  ########
 ###       ###         ###         ###      ##################
 #########  #######     ###     #####       ##################

 #########
 ###                                                           ###
 ###        ### ####     #####  ### ## ###     ### ########  #######
 #########  ####  ###  ###      ####    ###   ###  ###   ###   ###
 ###        ###   ###  ###      ###      ### ###   ###    ###  ###
 ###        ###   ###  ###      ###       #####    ###   ###   ###
 #########  ###   ###    #####  ###        ###     #######      ###
                                          ###      ###
                                        ####       ###
* Connection #0 to host valid.x1.test-certs.letsencrypt.org left intact

curl -v https://acme-v02.api.letsencrypt.org/acme/renewal-info/Hy81vkYUgs1Asa55LFV4-vfUaPs.Bn-YENv9T4bV5FfcfT9XGXsO
* Host acme-v02.api.letsencrypt.org:443 was resolved.
* IPv6: (none)
* IPv4: 172.65.32.248
*   Trying 172.65.32.248:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May 30 18:17:58 2026 GMT
*  expire date: Aug 28 18:17:57 2026 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=YE1
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 3: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://acme-v02.api.letsencrypt.org/acme/renewal-info/Hy81vkYUgs1Asa55LFV4-vfUaPs.Bn-YENv9T4bV5FfcfT9XGXsO
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: acme-v02.api.letsencrypt.org]
* [HTTP/2] [1] [:path: /acme/renewal-info/Hy81vkYUgs1Asa55LFV4-vfUaPs.Bn-YENv9T4bV5FfcfT9XGXsO]
* [HTTP/2] [1] [user-agent: curl/8.14.1]
* [HTTP/2] [1] [accept: */*]
> GET /acme/renewal-info/Hy81vkYUgs1Asa55LFV4-vfUaPs.Bn-YENv9T4bV5FfcfT9XGXsO HTTP/2
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/8.14.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< server: nginx
< date: Tue, 09 Jun 2026 14:13:10 GMT
< content-type: application/json
< content-length: 101
< cache-control: public, max-age=0, no-cache
< link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
< retry-after: 24739
< x-frame-options: DENY
< strict-transport-security: max-age=604800
< 
{
  "suggestedWindow": {
    "start": "2026-06-11T21:44:41Z",
    "end": "2026-06-12T00:55:30Z"
  }
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

Well, that time the directory endpoint worked, and the root API path didn't. That makes me think it may be some connection that's intermittently flaky, rather than intentional blocking. I'm not really sure what to do with that information, though, other than trying several times and hopefully one of them will work.

Some other things you might be able to try include:

  • Seeing if your provider has IPv6 access and getting your server to use it, which may let it use different routes than the IPv4 ones it's currently using.
  • Trying some other Certificate Authorities. There are several out there that support the same ACME protocol, and many of them are also free.

Thank you so much for your help, I'll contact the provider to change the route. Thanks again and have a nice day!