Cannot connect to acme-v02 :(

onedesign · February 1, 2021, 7:18pm

My domain is: zostrov.com (148.251.236.201)

I ran this command:
curl -I https://acme-v02.api.letsencrypt.org/

It produced this output:
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

I ran this command:
curl -I https://www.whitehouse.gov/

It produced this output:

HTTP/2 200
x-build-back-better: https://usds.gov/
x-frame-options: DENY
referrer-policy: strict-origin-when-cross-origin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
content-type: text/html; charset=UTF-8
date: Mon, 01 Feb 2021 19:15:32 GMT
strict-transport-security: max-age=31536000 ; includeSubDomains ; preload

I ran this command:
mtr -s 1000 -r -c 1000 acme-v02.api.letsencrypt.org

It produced this output:
HOST: onedesign Loss% Snt Last Avg Best Wrst StDev

1.|-- 2a01:4f8::a:20:a           0.3%  1000    0.9   0.9   0.5  21.3   1.0
2.|-- core24.fsn1.hetzner.com   35.5%  1000    1.2   7.5   0.8  56.4  10.0
3.|-- core5.fra.hetzner.com      0.2%  1000    9.4   6.8   4.9  48.1   4.4
4.|-- 2a01:4f8:0:3::319          0.0%  1000    5.8   6.8   5.2  46.7   3.7
5.|-- 2400:cb00:71:2:2:4940::    0.0%  1000   20.3   8.7   6.3  53.6   5.1
6.|-- ???                       100.0  1000    0.0   0.0   0.0   0.0   0.0

I ran this command:
traceroute acme-v02.api.letsencrypt.org

It produced this output:

 1  static.81.38.251.148.clients.your-server.de (148.251.38.81)  0.292 ms  0.269 ms  0.251 ms
 2  * * core23.fsn1.hetzner.com (213.239.203.141)  2.369 ms
 3  core0.fra.hetzner.com (213.239.252.37)  4.817 ms * *
 4  core9.fra.hetzner.com (213.239.224.174)  5.561 ms  5.568 ms  5.488 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *

My web server is (include version):
nginx 1.12.2

The operating system my web server runs on is (include version):
Debian 9

My hosting provider, if applicable, is:
Hetzner.de

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
ISPmanager Lite 5 + SSH/FTP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme-tiny

Hetzner Support team says that problem in Cloudflare.
I don't use it, so don't understand what should I do next...

I have another server at Hetzner - everything is OK there.
Looks that IP is blocked?

sahsanu · February 1, 2021, 7:31pm

Hello @onedesign,

Could you please try to access using IPv4 and IPv6?

curl -4I https://acme-v02.api.letsencrypt.org/

curl -6I https://acme-v02.api.letsencrypt.org/

onedesign · February 1, 2021, 8:05pm

curl -4I https://acme-v02.api.letsencrypt.org/
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

curl -6I https://acme-v02.api.letsencrypt.org/
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

sahsanu · February 1, 2021, 8:08pm

Ok, let's do it verbose:

curl -4Iv https://acme-v02.api.letsencrypt.org/

curl -6Iv https://acme-v02.api.letsencrypt.org/

schoen · February 1, 2021, 8:22pm

@lestaff, possible API CDN routing issue?

sahsanu · February 1, 2021, 8:27pm

Just in case, I've a server with Hetzner (Germany) and I've no problems to reach Let's Encrypt API.

onedesign · February 1, 2021, 8:31pm

Same thing: I've another server with Hetzner and it's OK...
Any other sites are reachable (curl, ping, traceroute) on the subject server, but only not acme-v02...

onedesign · February 1, 2021, 8:38pm

curl -4Iv https://acme-v02.api.letsencrypt.org/

* Trying 172.65.32.248...
* TCP_NODELAY set
* connect to 172.65.32.248 port 443 failed: Connection timed out
* Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out



curl -6Iv https://acme-v02.api.letsencrypt.org/

* Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* connect to 2606:4700:60:0:f53d:5624:85c7:3a2c port 443 failed: Connection timed out
* Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

JamesLE · February 1, 2021, 8:48pm

Hi, @onedesign,

I just made an experimental change on our end. Please let us know whether or not you're still having trouble connecting now. If you're still having trouble, you may need to involve Hetzner support further (if they're willing to help), and/or it may be time to:

check your iptables rules for any egress filtering
check all of Hetzner's control panel options for any egress filtering
capture your outgoing packets with tcpdump

JuergenAuer · February 1, 2021, 9:04pm

Hi @onedesign

are you sure you don't have something that blocks?

That

D:\temp>tracert static.81.38.251.148.clients.your-server.de.

Routenverfolgung zu static.81.38.251.148.clients.your-server.de [148.251.38.81]
über maximal 30 Hops:

1 <1 ms <1 ms <1 ms fritz.box [192.168.0.1]
2 4 ms 4 ms 4 ms p3e9bf075.dip0.t-ipconnect.de [62.155.240.117]
3 * * * Zeitüberschreitung der Anforderung.
4 * * * Zeitüberschreitung der Anforderung.
5 * * * Zeitüberschreitung der Anforderung.
6 * 37 ms 28 ms core24.fsn1.hetzner.com [213.239.252.250]
7 * * * Zeitüberschreitung der Anforderung.
8 * * * Zeitüberschreitung der Anforderung.
9 * * * Zeitüberschreitung der Anforderung.
10 * * * Zeitüberschreitung der Anforderung.
11 * * * Zeitüberschreitung der Anforderung.
12 * * * Zeitüberschreitung der Anforderung.
13 * * * Zeitüberschreitung der Anforderung.
14 * * * Zeitüberschreitung der Anforderung.
15 * * * Zeitüberschreitung der Anforderung.
16 * * * Zeitüberschreitung der Anforderung.
17 * * * Zeitüberschreitung der Anforderung.
18 * * * Zeitüberschreitung der Anforderung.
19 * * * Zeitüberschreitung der Anforderung.
20 * * * Zeitüberschreitung der Anforderung.
21 * * * Zeitüberschreitung der Anforderung.
22 * * * Zeitüberschreitung der Anforderung.
23 * * * Zeitüberschreitung der Anforderung.
24 * * * Zeitüberschreitung der Anforderung.
25 * * * Zeitüberschreitung der Anforderung.
26 * * * Zeitüberschreitung der Anforderung.
27 * * * Zeitüberschreitung der Anforderung.
28 * * * Zeitüberschreitung der Anforderung.
29 * * * Zeitüberschreitung der Anforderung.
30 * * * Zeitüberschreitung der Anforderung.

Ablaufverfolgung beendet.

looks curious.

Normally, I'm able to ping / tracert hetzner servers from my local pc, Berlin / Telekom.

And that's not Cloudflare.

onedesign · February 1, 2021, 9:10pm

Thanks for testing. I'll forward this information to Hetzner support team.

onedesign · February 1, 2021, 9:19pm

Where did you get this reverse name?

My server's IP is 148.251.236.201
host 148.251.236.201
201.236.251.148.in-addr.arpa domain name pointer static.201.236.251.148.clients.your-server.de.

Please try to trace this.

JuergenAuer · February 1, 2021, 9:32pm

It's from your first output:

Ah, that's a different ip, not your ip.

Yep, that works:

D:\temp>tracert static.201.236.251.148.clients.your-server.de.

Routenverfolgung zu static.201.236.251.148.clients.your-server.de [148.251.236.201]
über maximal 30 Hops:

1 <1 ms <1 ms <1 ms fritz.box [192.168.0.1]
2 14 ms 4 ms 4 ms p3e9bf075.dip0.t-ipconnect.de [62.155.240.117]
3 * * 14 ms n-ea9-i.N.DE.NET.DTAG.DE [62.154.24.222]
4 14 ms 14 ms 14 ms n-ea9-i.N.DE.NET.DTAG.DE [62.154.24.222]
5 16 ms 16 ms 16 ms 62.157.248.138
6 * 25 ms 45 ms core24.fsn1.hetzner.com [213.239.252.250]
7 * 16 ms 16 ms ex9k1.dc11.fsn1.hetzner.com [213.239.203.146]
8 18 ms 18 ms 21 ms static.201.236.251.148.clients.your-server.de [148.251.236.201]

Ablaufverfolgung beendet.

Sorry, false alarm.

But it's curious I can't trace something that is in front of your server.

onedesign · February 1, 2021, 11:10pm

May the issue is caused by a wrong DNS-Server configuration?
-----------------%<-----------------

mtr -rc100 172.65.32.248
Start: 2021-02-01T23:53:14+0100
HOST: rescue Loss% Snt Last Avg Best Wrst StDev
  1.|-- static.81.38.251.148.clie 0.0% 100 0.4 0.8 0.3 10.6 1.6
  2.|-- core24.fsn1.hetzner.com 85.0% 100 0.6 0.6 0.3 1.3 0.2
  3.|-- core0.fra.hetzner.com 1.0% 100 5.2 6.4 4.9 41.7 4.2
  4.|-- core9.fra.hetzner.com 0.0% 100 6.2 10.1 5.1 33.5 5.3
  5.|-- 162.158.84.254 0.0% 100 5.9 7.6 5.7 30.5 4.2
  6.|-- 172.65.32.248 0.0% 100 5.3 5.3 5.3 5.5 0.1

nslookup acme-v02.api.letsencrypt.org
Server: 213.133.98.98
Address: 213.133.98.98#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org canonical name =
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c



mtr -6 -rc 50 2606:4700:60:0:f53d:5624:85c7:3a2c
Start: 2021-02-01T23:59:15+0100
HOST: rescue Loss% Snt Last Avg Best Wrst StDev
  1.|-- 2a01:4f8::a:20:a 0.0% 50 0.4 0.5 0.3 1.6 0.3
  2.|-- core23.fsn1.hetzner.com 68.0% 50 4.9 13.4 0.4 46.4 13.0
  3.|-- core5.fra.hetzner.com 0.0% 50 5.0 7.2 4.9 18.2 4.0
  4.|-- 2a01:4f8:0:3::319 0.0% 50 13.5 7.9 5.2 29.1 4.6
  5.|-- 2400:cb00:71:2:2:4940:: 0.0% 50 6.0 7.9 5.8 37.7 5.6
  6.|-- 2606:4700:60:0:f53d:5624: 0.0% 50 5.4 5.3 5.2 5.5 0.1

system · March 3, 2021, 11:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Immediate connect fail for acme-v02.api.letsencrypt.org Help	4	2138	July 10, 2020
API connection issues Help	4	561	April 8, 2021
Failed to connect to acme-v02.api.letsencrypt.org Help	5	268	August 16, 2024
Ploblem with connections to acme-v02.api.letsencrypt.org Help	3	940	May 28, 2020
[SOLVED] Failed to connect to acme-v02.api.letsencrypt.org port 443 after 3064 ms: Couldn't connect to server Help	7	6464	November 17, 2023

Cannot connect to acme-v02 :(

Related topics