Cannot connect to acme-v02 :(

My domain is: zostrov.com (148.251.236.201)

I ran this command:
curl -I https://acme-v02.api.letsencrypt.org/

It produced this output:
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

I ran this command:
curl -I https://www.whitehouse.gov/

It produced this output:

HTTP/2 200
x-build-back-better: https://usds.gov/
x-frame-options: DENY
referrer-policy: strict-origin-when-cross-origin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
content-type: text/html; charset=UTF-8
date: Mon, 01 Feb 2021 19:15:32 GMT
strict-transport-security: max-age=31536000 ; includeSubDomains ; preload

I ran this command:
mtr -s 1000 -r -c 1000 acme-v02.api.letsencrypt.org

It produced this output:
HOST: onedesign Loss% Snt Last Avg Best Wrst StDev

1.|-- 2a01:4f8::a:20:a           0.3%  1000    0.9   0.9   0.5  21.3   1.0
2.|-- core24.fsn1.hetzner.com   35.5%  1000    1.2   7.5   0.8  56.4  10.0
3.|-- core5.fra.hetzner.com      0.2%  1000    9.4   6.8   4.9  48.1   4.4
4.|-- 2a01:4f8:0:3::319          0.0%  1000    5.8   6.8   5.2  46.7   3.7
5.|-- 2400:cb00:71:2:2:4940::    0.0%  1000   20.3   8.7   6.3  53.6   5.1
6.|-- ???                       100.0  1000    0.0   0.0   0.0   0.0   0.0

I ran this command:
traceroute acme-v02.api.letsencrypt.org

It produced this output:

 1  static.81.38.251.148.clients.your-server.de (148.251.38.81)  0.292 ms  0.269 ms  0.251 ms
 2  * * core23.fsn1.hetzner.com (213.239.203.141)  2.369 ms
 3  core0.fra.hetzner.com (213.239.252.37)  4.817 ms * *
 4  core9.fra.hetzner.com (213.239.224.174)  5.561 ms  5.568 ms  5.488 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *

My web server is (include version):
nginx 1.12.2

The operating system my web server runs on is (include version):
Debian 9

My hosting provider, if applicable, is:
Hetzner.de

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
ISPmanager Lite 5 + SSH/FTP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme-tiny

Hetzner Support team says that problem in Cloudflare.
I don't use it, so don't understand what should I do next...

I have another server at Hetzner - everything is OK there.
Looks that IP is blocked?

1 Like

Hello @onedesign,

Could you please try to access using IPv4 and IPv6?

curl -4I https://acme-v02.api.letsencrypt.org/

curl -6I https://acme-v02.api.letsencrypt.org/

3 Likes
curl -4I https://acme-v02.api.letsencrypt.org/
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

curl -6I https://acme-v02.api.letsencrypt.org/
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

:frowning:

1 Like

Ok, let's do it verbose:

curl -4Iv https://acme-v02.api.letsencrypt.org/

curl -6Iv https://acme-v02.api.letsencrypt.org/

2 Likes

@lestaff, possible API CDN routing issue?

1 Like

Just in case, I've a server with Hetzner (Germany) and I've no problems to reach Let's Encrypt API.

1 Like

Same thing: I've another server with Hetzner and it's OK...
Any other sites are reachable (curl, ping, traceroute) on the subject server, but only not acme-v02...

1 Like
curl -4Iv https://acme-v02.api.letsencrypt.org/

* Trying 172.65.32.248...
* TCP_NODELAY set
* connect to 172.65.32.248 port 443 failed: Connection timed out
* Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out



curl -6Iv https://acme-v02.api.letsencrypt.org/

* Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* connect to 2606:4700:60:0:f53d:5624:85c7:3a2c port 443 failed: Connection timed out
* Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out
1 Like

Hi, @onedesign,

I just made an experimental change on our end. Please let us know whether or not you're still having trouble connecting now. If you're still having trouble, you may need to involve Hetzner support further (if they're willing to help), and/or it may be time to:

  • check your iptables rules for any egress filtering
  • check all of Hetzner's control panel options for any egress filtering
  • capture your outgoing packets with tcpdump
3 Likes

Hi @onedesign

are you sure you don't have something that blocks?

That

D:\temp>tracert static.81.38.251.148.clients.your-server.de.

Routenverfolgung zu static.81.38.251.148.clients.your-server.de [148.251.38.81]
├╝ber maximal 30 Hops:

1 <1 ms <1 ms <1 ms fritz.box [192.168.0.1]
2 4 ms 4 ms 4 ms p3e9bf075.dip0.t-ipconnect.de [62.155.240.117]
3 * * * Zeit├╝berschreitung der Anforderung.
4 * * * Zeit├╝berschreitung der Anforderung.
5 * * * Zeit├╝berschreitung der Anforderung.
6 * 37 ms 28 ms core24.fsn1.hetzner.com [213.239.252.250]
7 * * * Zeit├╝berschreitung der Anforderung.
8 * * * Zeit├╝berschreitung der Anforderung.
9 * * * Zeit├╝berschreitung der Anforderung.
10 * * * Zeit├╝berschreitung der Anforderung.
11 * * * Zeit├╝berschreitung der Anforderung.
12 * * * Zeit├╝berschreitung der Anforderung.
13 * * * Zeit├╝berschreitung der Anforderung.
14 * * * Zeit├╝berschreitung der Anforderung.
15 * * * Zeit├╝berschreitung der Anforderung.
16 * * * Zeit├╝berschreitung der Anforderung.
17 * * * Zeit├╝berschreitung der Anforderung.
18 * * * Zeit├╝berschreitung der Anforderung.
19 * * * Zeit├╝berschreitung der Anforderung.
20 * * * Zeit├╝berschreitung der Anforderung.
21 * * * Zeit├╝berschreitung der Anforderung.
22 * * * Zeit├╝berschreitung der Anforderung.
23 * * * Zeit├╝berschreitung der Anforderung.
24 * * * Zeit├╝berschreitung der Anforderung.
25 * * * Zeit├╝berschreitung der Anforderung.
26 * * * Zeit├╝berschreitung der Anforderung.
27 * * * Zeit├╝berschreitung der Anforderung.
28 * * * Zeit├╝berschreitung der Anforderung.
29 * * * Zeit├╝berschreitung der Anforderung.
30 * * * Zeit├╝berschreitung der Anforderung.

Ablaufverfolgung beendet.

looks curious.

Normally, I'm able to ping / tracert hetzner servers from my local pc, Berlin / Telekom.

And that's not Cloudflare.

1 Like

Thanks for testing. I'll forward this information to Hetzner support team.

2 Likes

Where did you get this reverse name?

My server's IP is 148.251.236.201
host 148.251.236.201
201.236.251.148.in-addr.arpa domain name pointer static.201.236.251.148.clients.your-server.de.

Please try to trace this.

1 Like

It's from your first output:

Ah, that's a different ip, not your ip.

Yep, that works:

D:\temp>tracert static.201.236.251.148.clients.your-server.de.

Routenverfolgung zu static.201.236.251.148.clients.your-server.de [148.251.236.201]
├╝ber maximal 30 Hops:

1 <1 ms <1 ms <1 ms fritz.box [192.168.0.1]
2 14 ms 4 ms 4 ms p3e9bf075.dip0.t-ipconnect.de [62.155.240.117]
3 * * 14 ms n-ea9-i.N.DE.NET.DTAG.DE [62.154.24.222]
4 14 ms 14 ms 14 ms n-ea9-i.N.DE.NET.DTAG.DE [62.154.24.222]
5 16 ms 16 ms 16 ms 62.157.248.138
6 * 25 ms 45 ms core24.fsn1.hetzner.com [213.239.252.250]
7 * 16 ms 16 ms ex9k1.dc11.fsn1.hetzner.com [213.239.203.146]
8 18 ms 18 ms 21 ms static.201.236.251.148.clients.your-server.de [148.251.236.201]

Ablaufverfolgung beendet.

Sorry, false alarm.

But it's curious I can't trace something that is in front of your server.

2 Likes

May the issue is caused by a wrong DNS-Server configuration?
-----------------%<-----------------

mtr -rc100 172.65.32.248
Start: 2021-02-01T23:53:14+0100
HOST: rescue Loss% Snt Last Avg Best Wrst StDev
  1.|-- static.81.38.251.148.clie 0.0% 100 0.4 0.8 0.3 10.6 1.6
  2.|-- core24.fsn1.hetzner.com 85.0% 100 0.6 0.6 0.3 1.3 0.2
  3.|-- core0.fra.hetzner.com 1.0% 100 5.2 6.4 4.9 41.7 4.2
  4.|-- core9.fra.hetzner.com 0.0% 100 6.2 10.1 5.1 33.5 5.3
  5.|-- 162.158.84.254 0.0% 100 5.9 7.6 5.7 30.5 4.2
  6.|-- 172.65.32.248 0.0% 100 5.3 5.3 5.3 5.5 0.1

nslookup acme-v02.api.letsencrypt.org
Server: 213.133.98.98
Address: 213.133.98.98#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org canonical name =
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c



mtr -6 -rc 50 2606:4700:60:0:f53d:5624:85c7:3a2c
Start: 2021-02-01T23:59:15+0100
HOST: rescue Loss% Snt Last Avg Best Wrst StDev
  1.|-- 2a01:4f8::a:20:a 0.0% 50 0.4 0.5 0.3 1.6 0.3
  2.|-- core23.fsn1.hetzner.com 68.0% 50 4.9 13.4 0.4 46.4 13.0
  3.|-- core5.fra.hetzner.com 0.0% 50 5.0 7.2 4.9 18.2 4.0
  4.|-- 2a01:4f8:0:3::319 0.0% 50 13.5 7.9 5.2 29.1 4.6
  5.|-- 2400:cb00:71:2:2:4940:: 0.0% 50 6.0 7.9 5.8 37.7 5.6
  6.|-- 2606:4700:60:0:f53d:5624: 0.0% 50 5.4 5.3 5.2 5.5 0.1
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.