Can't Renew Certificate

Hello everyone,

I'm Trying to renew the certificates of my domains but I face errors. It's seems IPs are blocked.

Can you please Help.

Bellow details.

Thanks

My domains are: https://app.barakamoney.com and https://didate.net/

I ran this command: curl -vvv https://acme-v02.api.letsencrypt.org/directorycurl

It produced this output:

  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
  • TCP_NODELAY set
  • Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: hetzner

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

2 Likes

Hmm… assuming that you can connect to other places from that system, and just not the ACMEv2 API, it might be the DoS mitigation block. Did you recently acquire this IPv6 space, or might it have been used for "bad things" relatively recently?

However, the domains you posted don't have AAAA DNS records, but you're connecting from the server to the IPv6 address for the API. Can you share the IPv6 address you're trying this from? And when you do so, probably tag @lestaff so they can take a look. It's a holiday weekend in the US, though, so I don't know what their response time will be to forum posts.

4 Likes

I was able to find the IPv6 address with a little detective work, and we had indeed blocked it as part of DDoS mitigation. It's unblocked now.

If you've had your server since before March 9, please look carefully for signs of compromise, since it's likely that the entity responsible for the DDoS attack still has some kind of access.

9 Likes

Hello everyone.

Thank you so much it now working for the first domain (*.barakamoney.com).

Can you please check also for didate.net ?

Thank you.

2 Likes

Can you try the curl command on the other server? These seem to be hosted on two different servers (both at Hetzner), while the didate.net server doesn't have any IPv6 address advertised to the public (although it might still have an IPv6 connection available and might be using IPv6 to connect to the Let's Encrypt service).

Also, please note this comment from @JamesLE above:

The blocking happened because someone used that server's address to attack Let's Encrypt. If this happened while it was already your server, this most likely indicates a serious security problem that has allowed someone to take over the server and use it to attack others. If this also turns out to be the case for the other server, it suggests that the security problem might be shared between the two different servers, so it might have the same origin somehow.

3 Likes

Yes the two domains are on two different servers both at Hetzner, and I have both since before March.

Here is curl response on the didate.net server :

curl -vvv https://acme-v02.api.letsencrypt.org/directory

  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

Will it not also come from the fact that I have several subdomains (on the same server) under didate.net (May be I have to use Wildcard ) ?

I continue to look if there is a problem on my servers

Thank you.

1 Like

@didate, this curl output does look like the second server was also blocked due to participating in an attack (unless you intentionally have a firewall policy in place to prevent it from making outgoing connections).

In order to unblock the second server, I think @JamesLE will need to know that server's IPv6 address. Unlike your first server, this isn't visible in DNS, so we can't just look it up without your help. (Both servers have IPv6 addresses assigned by Hetzner, but only one of them has an AAAA record telling the public about how to reach your server using it.)

The fact that both servers may have participated in the same attack is definitely a sign that there's a security problem that has let someone else get into both of them. :frowning:

3 Likes

Hello

Here is the IPv6 address of the second server

inet6 2a01:4f8:c17:8938::1/64 scope global

1 Like

I've now unblocked that address, too. As @schoen said, it does seem likely that there's a serious security problem in common between both servers, so I strongly recommend you look carefully at auditing them and probably re-installing them.

4 Likes

Thank you so much.

I'm checking what wrong on the servers.

Regards.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.