Certbot -d with error - IP Blocked?

Hi, guys.

After install certbot and tried to install a certificate, we got this error:

An unexpected error occurred:
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Could you help us?

Can you show results of these:

curl -I https://acme-v02.api.letsencrypt.org/directory

curl -I https://cloudflare.com

curl -I https://google.com

Also, I moved your post to the Help section. You would have been shown the below questions. Please answer as much as you can

============================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

The output:

curl -I https://acme-v02.api.letsencrypt.org/directory
:: curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host
curl -I https://cloudflare.com
:: HTTP/2 301 
date: Tue, 03 Oct 2023 19:18:10 GMT
location: https://www.cloudflare.com/
cache-control: max-age=3600
expires: Tue, 03 Oct 2023 20:18:10 GMT
set-cookie: __cf_bm=xb27tW8Jx12OcFf1HEjWR8l_In5lcDtxZ.P_9dkFnA0-1696360690-0-AUUdapfIGcYT304F67vVM4qP/4lPTsbFRl5loH3DWK3N+TI4yyfLaEzyMM5OzUgKJeMG2gbntN66F80NHkI5BiI=; path=/; expires=Tue, 03-Oct-23 19:48:10 GMT; domain=.cloudflare.com; HttpOnly; Secure; SameSite=None
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NfWRJfCiTrsNR%2B%2FseS7UDSl4s1kqcscPe%2FoUxOKklYEK5MqVqDuLGUW06PwKfvfQOlZUTFtDcmZIq1juwRwGbvUKbiI8RQA7AXmPhrrxdSdbUlQxheZAs3guwkwayRHv"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15780000; includeSubDomains
server: cloudflare
cf-ray: 81078788985fa4de-GRU
alt-svc: h3=":443"; ma=86400
curl -I https://google.com
:: HTTP/2 301 
location: https://www.google.com/
content-type: text/html; charset=UTF-8
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-R34tJj5o864nQZOV7WZbeQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
date: Tue, 03 Oct 2023 19:18:16 GMT
expires: Thu, 02 Nov 2023 19:18:16 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

And, what about this

sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org

And this

netstat -nr
2 Likes

That's a local routing problem.

If netstat hasn't been installed, try showing:
ip route

2 Likes

traceroute -T -p 443 acme-v02.api.letsencrypt.org
:: traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 ------ (172.20.60.105) 3105.753 ms !H 3105.123 ms !H 3105.038 ms !H

netstat -nr
:: Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 ens3
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3
172.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ens4

Well, uh, that's your problem. You're trying to send everything starting with 172 to that interface. I'm guessing it's supposed to be much narrower than that, since only 172.16.0.0/12 is designated as private IP space. Some of Let's Encrypt's servers are in the public space of 172.

5 Likes

Yes, and specifically this one :slight_smile:

4 Likes

Thanks guys.

We did some changes in our ifcfg and the problem was solved.

Thank you so much.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.