EC2 says "network is unreachable" on sudo certbot --nginx

Help
1

On Amazon EC2

I ran this command:
sudo certbot --nginx

It produced this output:

An unexpected error occurred:
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04.4 LTS

Further commands :

netstat -nr

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.31.0.1      0.0.0.0         UG        0 0          0 eth0
172.31.0.0      0.0.0.0         255.255.240.0   U         0 0          0 eth0
172.31.0.1      0.0.0.0         255.255.255.255 UH        0 0          0 eth0
172.31.0.2      0.0.0.0         255.255.255.255 UH        0 0          0 eth0

curl -I https://acme-v02.api.letsencrypt.org/directory
connection timeout

I have seen this issue before but it doesnt clarify what ipconfig to set for this to work. Just tell me what to set as i am new to this and the only one working on this.

2

My guess is that your system thinks that it has IPv6 access, but in fact something about your setup isn't routing packets right for it. I'd suggest double-checking the VPC's IPv6 routing table, and check for access to other IPv6-enabled systems from yours.

3 Likes
3

You could test what @petercooperjr suggests by trying

curl -I4 https://acme-v02.api.letsencrypt.org/directory
curl -I6 https://acme-v02.api.letsencrypt.org/directory
2 Likes
4

after configuring it for hours i finally enabled the ipv6 on ec2

sudo certbot --nginx

An unexpected error occurred:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x75af0e2588e0>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
5

Both commands keep processing with no message , possible timeout

6

What shows?:
traceroute -T -p 443 acme-v02.api.letsencrypt.org

2 Likes
7

traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets

8

Try it with sudo. It should show something more like this:

sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  * * *
 2  240.0.44.39 (240.0.44.39)  5.364 ms * *
 3  242.1.222.1 (242.1.222.1)  5.325 ms * *
 4  240.0.236.5 (240.0.236.5)  5.285 ms * *
 5  241.0.4.157 (241.0.4.157)  5.258 ms * *
 6  100.100.4.64 (100.100.4.64)  5.232 ms 100.100.34.80 (100.100.34.80)  0.594 ms 100.100.4.76 (100.100.4.76)  0.635 ms
 7  240.0.236.4 (240.0.236.4)  0.590 ms 99.83.90.167 (99.83.90.167)  1.480 ms 240.0.236.6 (240.0.236.6)  0.898 ms
 8  173.245.63.243 (173.245.63.243)  0.679 ms * 242.2.212.197 (242.2.212.197)  1.049 ms
 9  172.65.32.248 (172.65.32.248)  1.077 ms  0.726 ms  0.857 ms
2 Likes
9

And, if you don't get any results from traceroute what does this do

curl -I https://google.com
1 Like
10

also keeps processing indefinitely

11

What about the curl to google.com ?

2 Likes
12

curl google.com

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
1 Like
13

Thanks. Back to @rg305 I'm at the edge of my knowledge on this one :slight_smile:

2 Likes
14

Full Response

ubuntu@ip-172-31-8-209:~$ sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
1 Like
17

Something [local] is blocking to IP 172.65.32.248.

What shows?:
traceroute -T -p 443 google.com

What are the firewall rules?
Are there any that block destination IPs/Networks?

2 Likes
18 
ubuntu@ip-172-31-8-209:~$ sudo traceroute -T -p 443 google.com

traceroute to google.com (142.250.71.110), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Security Group

inbound
inbound1600×400 36.1 KB

outbond
outbond1639×296 20.7 KB

1 Like
19

What does that exact command do? Because I think you are missing outbound EC2 rules for port 443

I just realized you just did curl google.com which would use port 80 (http)

I personally use outbound rules like below which allow all outbound requests. You can limit outbound ports if you want of course but make sure you open all the ones you need.

Screenshot 2024-04-13 234219
Screenshot 2024-04-13 2342192505×477 31.1 KB

5 Likes
20

Right on spot. It was the outbound rules. Sorry for wasting your time , I clearly have a lot to learn here.
Thanks a lot , It worked finally. Everything is working.

4 Likes