DuckDNS not able to connect to letsencrypt server

snel6424 · October 17, 2023, 4:05pm

Hello all, I am not sure if this is the right place to post this or not, and if it is not, I will delete.

I am attempting to use the DuckDNS addon in Home Assistant which uses LetsEncrypt SSL certs. However, everytime I run the addon, I get the following in the logs:

ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 6)

EXPECTED value GOT EOF

Can anyone explain this issue? I think it is a DNS issue, but I am not sure how to fix it.

rg305 · October 17, 2023, 9:36pm

Hi @snel6424, and welcome to the LE community forum

Yes; To me, it seems like it's a problem with either DNS, routing, or firewall blocking the access.

Please show:
[choose depending on the operating system]

ipconfig OR ifconfig | grep -Ei 'inet|addr'
nslookup acme-v02.api.letsencrypt.org OR dig acme-v02.api.letsencrypt.org
netstat -nr OR ip route
tracert -d 172.65.32.248 OR traceroute -T -p 443 172.65.32.248

snel6424 · October 19, 2023, 2:16am

Okay I get the following outputs:

ifconfig | grep -Ei 'inet|addr'                                                                                                                                                                                                      
docker0   Link encap:Ethernet  HWaddr 02:42:AA:2E:FD:4B                                                                                                                                                                                   
          inet addr:172.30.232.1  Bcast:172.30.233.255  Mask:255.255.254.0                                                                                                                                                                
          inet6 addr: fe80::42:aaff:fe2e:fd4b/64 Scope:Link                                                                                                                                                                               
enp1s0    Link encap:Ethernet  HWaddr E4:54:E8:49:C3:53                                                                                                                                                                                   
          inet addr:192.168.4.36  Bcast:192.168.7.255  Mask:255.255.252.0                                                                                                                                                                 
          inet6 addr: fe80::2b13:5b7d:fc00:c9cd/64 Scope:Link                                                                                                                                                                             
          inet6 addr: fde3:c83d:852d:1:24ba:3ab9:8d9:cff6/64 Scope:Global                                                                                                                                                                 
hassio    Link encap:Ethernet  HWaddr 02:42:8B:44:8B:47                                                                                                                                                                                   
          inet addr:172.30.32.1  Bcast:172.30.33.255  Mask:255.255.254.0                                                                                                                                                                  
          inet6 addr: fe80::42:8bff:fe44:8b47/64 Scope:Link                                                                                                                                                                               
          inet addr:127.0.0.1  Mask:255.0.0.0     
          inet6 addr: ::1/128 Scope:Host
veth0533742 Link encap:Ethernet  HWaddr 46:02:B8:6E:21:66  
          inet6 addr: fe80::4402:b8ff:fe6e:2166/64 Scope:Link
veth8151df8 Link encap:Ethernet  HWaddr 06:91:CE:76:5C:72  
          inet6 addr: fe80::491:ceff:fe76:5c72/64 Scope:Link
veth8f36ec9 Link encap:Ethernet  HWaddr A2:82:BD:10:F4:97  
          inet6 addr: fe80::a082:bdff:fe10:f497/64 Scope:Link
vetha184964 Link encap:Ethernet  HWaddr 7E:DE:07:C3:66:1C  
          inet6 addr: fe80::7cde:7ff:fec3:661c/64 Scope:Link
vetha5b4a97 Link encap:Ethernet  HWaddr AE:10:DE:4F:70:42  
          inet6 addr: fe80::ac10:deff:fe4f:7042/64 Scope:Link
vetha9a55ce Link encap:Ethernet  HWaddr EA:DE:F0:28:88:7D  
          inet6 addr: fe80::e8de:f0ff:fe28:887d/64 Scope:Link
vethdffef3b Link encap:Ethernet  HWaddr F2:C9:17:31:D6:14  
          inet6 addr: fe80::f0c9:17ff:fe31:d614/64 Scope:Link
wlp0s12f0 Link encap:Ethernet  HWaddr 94:E6:F7:61:17:BE  
➜  ~ dig acme-v02.api.letsencrypt.org
;; communications error to 172.30.32.3#53: timed out
;; communications error to 172.30.32.3#53: timed out
;; communications error to 172.30.32.3#53: timed out

; <<>> DiG 9.18.19 <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; no servers could be reached

➜  ~ ip route                       
default via 192.168.4.1 dev enp1s0  src 192.168.4.36  metric 100 
172.30.32.0/23 dev hassio scope link  src 172.30.32.1 
172.30.232.0/23 dev docker0 scope link  src 172.30.232.1 
192.168.4.0/22 dev enp1s0 scope link  src 192.168.4.36  metric 100 
➜  ~ traceroute -T -p 172.65.32.248
traceroute: unrecognized option: T
BusyBox v1.36.1 (2023-07-27 17:12:24 UTC) multi-call binary.

Usage: traceroute [-46IFlnrv] [-f 1ST_TTL] [-m MAXTTL] [-q PROBES] [-p PORT]
        [-t TOS] [-w WAIT_SEC] [-s SRC_IP] [-i IFACE]
        [-z PAUSE_MSEC] HOST [BYTES]

Trace the route to HOST

        -4,-6   Force IP or IPv6 name resolution
        -F      Set don't fragment bit
        -I      Use ICMP ECHO instead of UDP datagrams
        -l      Display TTL value of the returned packet
        -n      Print numeric addresses
        -r      Bypass routing tables, send directly to HOST
        -v      Verbose
        -f N    First number of hops (default 1)
        -m N    Max number of hops
        -q N    Number of probes per hop (default 3)
        -p N    Base UDP port number used in probes
                (default 33434)
        -s IP   Source address
        -i IFACE Source interface
        -t N    Type-of-service in probe packets (default 0)
        -w SEC  Wait for a response (default 3)
        -z MSEC Wait before each send

None of the left ones worked, only the right ones

rg305 · October 19, 2023, 4:24am

The left was for Windows - [you never said which operating system you are on]

That is missing the port "443".
But I see that it doesn't like the capital "T".
Try:
traceroute -p 443 172.65.32.248

Also, all the interface IPs are private.
That means there is a NAT device [router/firewall] in the path.

This seems like it can't reach the DNS server:

snel6424 · October 19, 2023, 12:56pm

~ traceroute -p 443 172.65.32.248 
traceroute to 172.65.32.248 (172.65.32.248), 30 hops max, 46 byte packets
 1  192.168.4.1 (192.168.4.1)  0.502 ms  0.531 ms  0.457 ms
 2  149.76.69.1 (149.76.69.1)  2.073 ms  2.987 ms  7.990 ms
 3  149.76.126.34 (149.76.126.34)  1.777 ms  1.469 ms  1.460 ms
 4  149.76.126.32 (149.76.126.32)  5.624 ms  5.689 ms  5.741 ms
 5  149.76.126.20 (149.76.126.20)  5.417 ms  5.258 ms  6.152 ms
 6  149.76.126.16 (149.76.126.16)  17.017 ms  208.117.98.192 (208.117.98.192)  31.482 ms  149.76.126.16 (149.76.126.16)  16.834 ms
 7  208.117.98.128 (208.117.98.128)  31.754 ms  76.73.201.152 (76.73.201.152)  21.196 ms  21.082 ms
 8  10.255.0.0 (10.255.0.0)  38.447 ms  38.501 ms  38.479 ms
 9  76.73.201.155 (76.73.201.155)  35.487 ms  35.130 ms  35.240 ms
10  206.108.255.45 (206.108.255.45)  58.787 ms  87.714 ms  44.667 ms
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  *
22  *  *  *
23  *  *  *
24  *  *  *
25  *  *  *
26  *  *  *
27  *  *  *
28  *  *  *
29  *  *  *
30  *  *  *

rg305 · October 19, 2023, 11:02pm

The last entry shown:

Name:    as13335.micemn.net
Address: 206.108.255.45

makes me think that there is a break between your network and Cloudflare:
ARIN Whois/RDAP - American Registry for Internet Numbers - 172.64.0.0/13

My last two clearly show it reaching CF:

 6  32.142.133.106 (32.142.133.106)  15.329 ms  12.557 ms  12.459 ms
 7  172.70.80.2 (172.70.80.2)  13.074 ms 172.70.52.2 (172.70.52.2)  8.308 ms 172.70.252.2 (172.70.252.2)  8.652 ms

snel6424 · October 19, 2023, 11:16pm

Any idea on what might be causing that or any idea on how to fix it?

rg305 · October 19, 2023, 11:49pm

I suspect a routing issue is causing the problem.

I don't think there is anything you can do about it [at your end] - short of asking your ISP to "look into it".
[maybe they have ways of contacting other ISPs along the way and one may reach the problem]

system · November 18, 2023, 11:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Nginx Proxy Manager with duckdns at Home Assistant Let's Encrypt Cert issue Help	5	6524	July 22, 2021
LetsEncrypt Cannot Obtain Certificate Help	40	2901	March 13, 2019
Unauthorized, invalid response Help	12	5388	February 18, 2019
LetsEncrypt error Help	16	4187	May 28, 2020
Attempting to get certificates: duckdns Connection refused Help	3	529	October 22, 2024

DuckDNS not able to connect to letsencrypt server

Related topics