Can't connect to acme for new cert

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ruiznetwork.com

I ran this command: curl -v https://acme-v02.api.letsencrypt.org

It produced this output: failed: Operation timed out

My web server is (include version): nginx

The operating system my web server runs on is (include version): macosx

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Where it times out? Can you do traceroute to acme endpoint?

2 Likes
3

dns resolves to 172.65.32.248 and this times out with just a ping

4

You likely have a local network configuration problem.

One possibility is you have incorrect range of private IP addresses that start with 172. Private IP should only be for the range 172.16.0.0/12.

If you setup your local network (wrongly) to use, say, 172.0.0.0/8 that declares a wider range of IP addresses as private. Your local network won't then route requests for these extra IP to the public internet. The acme-v02 IP is between /8 and /12 so you won't be able to reach it.

What does this show? It might help determine if that is the problem

traceroute acme-v02.api.letsencrypt.org

Also, can you connect to this?

curl https://cloudflare.com/cdn-cgi/trace
3 Likes
5

traceroute shows this:
traceroute to ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248), 64 hops max, 40 byte packets
1 192.168.10.1 (192.168.10.1) 1.283 ms 0.662 ms 0.573 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *

curl shows this:
fl=988f33
h=cloudflare.com
ip= my ip
ts=1750128798.575
visit_scheme=https
uag=curl/8.11.1
colo=my town
sliver=none
http=http/2
loc=US
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
rbi=off
kex=X25519

6

Looks like a routing problem in your local network. Review any private IP ranges in your networking gear and configurations.

Based on your DNS settings it looks like you plan to proxy your domain at Cloudflare. If that is your plan have you considered using one of their Origin CA Certificates? If that works for you then you may not even need a cert from Let's Encrypt. See: Cloudflare origin CA · Cloudflare SSL/TLS docs

3 Likes
7

Thanks for the help!

3 Likes
8

So I found that for some reason my internet provider (Comcast/Xfinity) is not allowing replies. Just switching from my provider to my Verizon phone using it as a hotspot allows things to ping and traceroute just fine. Even just pings to letsencrypt.org are timing out. I have reached out to Xfinity support to see if they can do something from their end.

2 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.