I believe my IP has been blocked

PedroPH · September 18, 2023, 4:01pm

My domain is: aniversario2023.supermercadovioleta.com.br

I ran this command: certbot --nginx -d aniversario2023.supermercadovioleta.com.br

It produced this output:

An unexpected error occurred:
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx version: nginx/1.22.1

The operating system my web server runs on is (include version):
Alma Linux 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0

ping acme-v02.api.letsencrypt.org

PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
From violeta.supermercadovioleta.com.br (172.20.60.107) icmp_seq=1 Destination Host Unreachable
From violeta.supermercadovioleta.com.br (172.20.60.107) icmp_seq=2 Destination Host Unreachable
From violeta.supermercadovioleta.com.br (172.20.60.107) icmp_seq=3 Destination Host Unreachable
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5160ms

curl -vvvv -I -L -k https://acme-v02.api.letsencrypt.org/directory

Trying 172.65.32.248...
TCP_NODELAY set
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
TCP_NODELAY set
Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
TCP_NODELAY set
Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
connect to 172.65.32.248 port 443 failed: No route to host
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
TCP_NODELAY set
Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
TCP_NODELAY set
Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host
Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host

Osiris · September 18, 2023, 4:15pm

Your IPv6 seems to be broken.

PedroPH · September 18, 2023, 5:07pm

We do not use IPV6.

Our other servers work without problems.

petercooperjr · September 18, 2023, 5:09pm

Well, your server seems to think that it does use IPv6. So you either need to fix the IPv6 connectivity, or fix whatever configuration on the server made it try to route using IPv6 when it doesn't have any routes for it that work.

Osiris · September 18, 2023, 5:12pm

This is an IPv6 address:

PedroPH · September 18, 2023, 5:35pm

I believe this is not the case, as the first attempt occurs in IPv4.

Anyway, I disabled it.

sysctl -w net.ipv6.conf.all.disable_ipv6=1

net.ipv6.conf.all.disable_ipv6 = 1

but the error still persists

Osiris · September 18, 2023, 5:41pm

curl tries both IPv4 and IPv6 at the same time and just sees which protocol answers first. Where an error from the IP stack is also an "answer", resulting in curl also erroring out.

What error do you get now and what does the curl test show after disabling IPv6?

PedroPH · September 18, 2023, 5:52pm

curl -vvvv -I -L -k https://acme-v02.api.letsencrypt.org/directory

Trying 172.65.32.248...
TCP_NODELAY set
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
TCP_NODELAY set
Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
TCP_NODELAY set
Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
connect to 172.65.32.248 port 443 failed: No route to host
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
TCP_NODELAY set
Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
TCP_NODELAY set
Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host
Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host

PedroPH · September 18, 2023, 5:53pm

It started working again without me doing absolutely anything.

ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=56 time=1.63 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=56 time=1.75 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=3 ttl=56 time=1.91 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=4 ttl=56 time=2.06 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=5 ttl=56 time=1.67 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=6 ttl=56 time=1.65 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=7 ttl=56 time=1.66 ms

Osiris · September 18, 2023, 5:55pm

Hmkay, still trying to connect to IPv6. Maybe a caching issue with curl, I believe curl does that.

Previously, your ping also only tried IPv4?

I see now that IPv4 also did not work, missed that earlier. Weird. Temporary network issue I guess.

PedroPH · September 18, 2023, 5:59pm

Very strange,

I believe it was something temporary. I appreciate everyone's availability.

rg305 · September 18, 2023, 9:00pm

Is that still the case?
[that should never happen]

Bruce5051 · September 18, 2023, 9:04pm

The online tool Let's Debug is presently showing OK.
https://letsdebug.net/aniversario2023.supermercadovioleta.com.br/1615182