Failed to connect to the Let's Encrypt server https://acme-v02.api.letsencrypt.org

Hello,

We have Plesk Linux server, but after the incident below mentioned here https://letsencrypt.status.io/
, we are unable to install SSL certificates:

Timeouts Accessing Some API Endpoints

We are getting Error below:

Error: Could not issue a Let’s Encrypt SSL/TLS certificate for DOMAINname

Failed to connect to the Let’s Encrypt server https://acme-v02.api.letsencrypt.org.
Please try again later or report the issue to support.
Details
Could not obtain directory: cURL error 51: Unable to communicate securely with peer: requested domain name does not match the server’s certificate. (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

Further Logs:

[2019-10-13 13:45:00.594] ERR [panel] Could not issue a Let’s Encrypt SSL/TLS certificate for sifarcrafts.com.

Failed to connect to the Let’s Encrypt server https://acme-v02.api.letsencrypt.org.
Please try again later or report the issue to support.
Details

[2019-10-13 14:13:21.282] ERR [panel] Could not issue a Let’s Encrypt SSL/TLS certificate for sifarcrafts.com.

Failed to connect to the Let’s Encrypt server https://acme-v02.api.letsencrypt.org.
Please try again later or report the issue to support.
Details
[2019-10-13 14:29:51.453] ERR [panel] Could not issue a Let’s Encrypt SSL/TLS certificate for sifarcrafts.com.

Failed to connect to the Let’s Encrypt server https://acme-v02.api.letsencrypt.org.
Please try again later or report the issue to support.
Details
[2019-10-13 14:39:05.404] ERR [panel] Could not issue a Let’s Encrypt SSL/TLS certificate for sifarcrafts.com.

Failed to connect to the Let’s Encrypt server https://acme-v02.api.letsencrypt.org.
Please try again later or report the issue to support.
Details

Hi @globalone24

what says

ping acme-v02.api.letsencrypt.org
traceroute acme-v02.api.letsencrypt.org

from that server?

Looks like the server contacts the wrong ip address.

PS: Perhaps there is a wrong hosts - entry.

Hello,

Below is the output of the mentioned cmds:

ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=47 time=213 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=47 time=213 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=3 ttl=47 time=213 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=4 ttl=47 time=213 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 213.302/213.357/213.425/0.330 ms

traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 103.224.243.1 (103.224.243.1) 0.785 ms 0.810 ms 1.066 ms
2 * * *
3 * * *
4 62.216.145.229 (62.216.145.229) 201.228 ms 201.224 ms 201.200 ms
5 * * *
6 xe-4-2-0.0.cjr02.sin001.flagtel.com (62.216.137.158) 205.563 ms 203.568 ms *
7 * xe-3-2-7.0.cji02.hkg003.flagtel.com (62.216.128.62) 276.325 ms *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

The IP is correct - it points to the Cloudflare anycast address that Let’s Encrypt uses.

But it looks like your network provider is having a routing issue, seems like the connection is getting dropped or intercepted before it makes it to Cloudflare.

I would contact your host (Web Werks?) to ask about it. Show them the traceroute.

If you can manage to establish a connection, it would be interesting to see what certificate it actually answers with:

openssl s_client -connect 172.65.32.248:443 2>/dev/null | openssl x509 -noout -subject -issuer

Sorry, forgot to recheck that topic.

Yep - I see a trace:

D:\temp>tracert -4 acme-v02.api.letsencrypt.org.

2 4 ms 5 ms 12 ms 62.155.240.117
3 6 ms 6 ms 6 ms 217.239.55.2
4 6 ms 5 ms 5 ms 217.239.55.2
5 9 ms 8 ms 6 ms lag-10.edge4.Berlin1.Level3.net [4.68.73.5]
6 * 7 ms 6 ms ae-1-3502.edge3.Berlin1.Level3.net [4.69.159.1]
7 7 ms 8 ms 8 ms unknown.Level3.net [212.162.40.34]
8 6 ms 6 ms 5 ms 172.65.32.248

Ipv6 is better:

D:\temp>tracert -6 acme-v02.api.letsencrypt.org.

2 5 ms 4 ms 4 ms 2003:0:8003:9800::1
3 * * * Zeitüberschreitung der Anforderung.
4 11 ms 11 ms 16 ms 2003:0:1403:c001::2
5 12 ms 12 ms 11 ms cloudflare-ic-314537-hbg-b1.c.telia.net [2001:2000:3080:e70::2]
6 10 ms 10 ms 10 ms 2606:4700:60:0:f53d:5624:85c7:3a2c

So it's a connection problem.

Hello,

The cmd is not showing any output…

openssl s_client -connect 172.65.32.248:443 2>/dev/null | openssl x509 -noout -subject -issuer

But the cmd is showing only connected not showing any further output:
openssl s_client -connect 172.65.32.248:443
CONNECTED(00000003)

Hello,

Can anyone update in this regards…?

Also, the ping is showing successfully, so we suspect that the issue will be related to connection problem.

Can you please try to perform the tracert from the letsencrypt server end…

This is the error we get while enabling or renewing Let’s Encrypt SSL/TLS Certificate for the domains…

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Error: Could not issue a Let’s Encrypt SSL/TLS certificate for sifarcrafts.com .

Failed to connect to the Let’s Encrypt server https://acme-v02.api.letsencrypt.org .
Please try again later or report the issue to support.
Details

Could not obtain directory: cURL error 28: Operation timed out after 150001 milliseconds with 0 out of 0 bytes received (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Ask your hoster / data center.

That's a local problem of your configuration you have to fix.

Let's Encrypt uses a CDN for the API service and so a traceroute from Let's Encrypt's data centers won't reveal anything very helpful about the connectivity here.

While Let's Encrypt staff can escalate connectivity problems to the CDN provider, it would be good to have a clear confirmation from your hosting provider that they also find this problem surprising or that it affects other servers that they host in the same facility. If not, it's still more likely that the problem is in a router or firewall configuration at your server's end.

Hello,

The traceroute is still showing network related issue, but changing the MTU settings resolve the issue with the while enabling or renewing Let’s Encrypt SSL/TLS Certificate for the domains…

[root@india7 ~]# traceroute acme-v02.api.letsencrypt.org.
traceroute to acme-v02.api.letsencrypt.org. (172.65.32.248), 30 hops max, 60 byt

e packets
1 103.224.243.1 (103.224.243.1) 0.384 ms 0.444 ms 0.515 ms
2 * * *
3 * * *
4 62.216.145.229 (62.216.145.229) 160.773 ms 160.757 ms 160.714 ms
5 * * *
6 ge-0-3-0.0.pjr01.hkg005.flagtel.com (62.216.128.9) 260.491 ms ge-2-0-0.0.pjr01.hkg005.flagtel.com (85.95.25.41) 262.974 ms ge-5-0-

0.0.ejr04.sin001.flagtel.com (62.216.137.141) 199.852 ms
7 * * xe-3-2-7.0.cji02.hkg003.flagtel.com (62.216.128.62) 269.379 ms
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Happy to read that you have found a solution

Can you share your old and new values?

Hello,

Change the MTU settings from 1500 to 1400.

Thanks. Good to know if someone has the same problem.

This raises the question of whether the CDN and Let’s Encrypt are handling path MTU issues correctly or as well as possible, though.

Hi,

We have had multiple timeouts on 2 of our servers and changing MTU from 1500 to 1400 solved the issue. Other servers are good with MTU 1500.

We are using certbot client and if a timeout happens we are left with a lot of pending authorizations.

If you need any specific details, please let me know.

Thanks!

Hi, @globalone24 and @edo888,

Thanks to @mnordhoff’s suggestion, we’ve double-checked our infrastructure to make sure it can successfully negotiate MTUs when needed. It looks like it can.

Is there a chance that you, or your ISPs, are using a firewall that blocks fragmented packets or blocks all ICMP traffic?

Hi,

I’m not sure about fragmented packets, how can I check that? We do not block ICMP traffic. We have noticed the timeouts on only 2 servers after you have changed the infrastructure from akamai to cloudflare, other servers are still fine.

Thanks!

@edo888,

Sorry about the delay! This is tricky to think through.

I’m not sure if there’s a convenient way to test your handling of fragmented packets. I’ve searched and haven’t found any tools, so I would probably use the Scapy library for Python to generate fragmented traffic, and monitor your interface with tcpdump or Wireshark to see how it’s handled.

I’d love to hear from anyone else who has ideas on this.

For testing path MTU discovery, there’s better news: the tracepath command (packaged as iputils-tracepath on Debian & Ubuntu) is a good way to test it.

Are your affected and unaffected servers on the same network, or different networks (and different paths to Cloudflare)?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.