Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | mail.galeido.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: mail.galeido.com
I ran this command:
curl -iL https://acme-v02.api.letsencrypt.org/directory
It produced this output:
Some of the sessions goes through and some of the sessions end up with
curl (56) OpenSSL SSL_read: Connection reset by peer, errno 104
My hosting provider, if applicable, is:
Own environment including ASN -> AS210723
I can login to a root shell on my machine (yes or no, or I don't know):
I would kindly ask LE staff to review our IPv4 subnet 18.104.22.168/24 it might be blocked or filtered by your DDoS mitigation or other protective measures.
Thanks for advance
Ping @JamesLE sorry for the direct ping.
Are the sessions that sometimes pass, and then sometimes fail, sourced from the exact same IP?
What is the failure rate?
Based on testing now, it is 100% failure rate, everything else works from that specific IPv4 range and from mail.galeido.com
We're not deliberately blocking your IPv4 or v6 space, or ASN; with the service we use, Cloudflare usually doesn't block traffic except during an active attack. Your prefixes look OK in RIPEstat. What results do you get from a traceroute? I would guess you'll probably reach Cloudflare via your peering at BALT-IX.
Thanks for coming back to be quickly.
What comes to Cloudflare, like you said usually doesn't block traffic, which is rather odd in this case. For this specific subnet we route traffic through Finnish provider called Suomicom and secondary through Cogent. Upcoming weekend we will change our core routing to utilise IXPs including FICIX and BALT-IX.
trace seems to stop to Suomicom border-gw in Helsinki. I will reach out to them today.
try using icmp traceroute instead of udp traceroute:
traceroute -I acme-v02.api.letsencrypt.org
or maybe even tcp (
After swapping primary routing to go through Cogent, everything works normally. Have to reach out to Suomicom's customer support to figure out root cause.
Managed to renew certificates now. Thanks for the quick help.