I can't renew a certificate - Network is unreachable

Hello, i'm trying to test renewal the certificate with sudo certbot renew --dry-run and getting an error.

My domain is:

I ran this command:
sudo certbot renew --dry-run
It produced this output:

user@bw:/etc/nginx/sites-enabled$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bw.#####.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate bw..#####.com with error: Requesting acme-staging-v02.api.letsencrypt.org/directory: Network is unreachable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/bw..#####.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Curl output

curl -v https://acme-v02.api.letsencrypt.org/
*   Trying 172.65.32.248:443...
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
* connect to 172.65.32.248 port 443 failed: Connection timed out
* Failed to connect to acme-v02.api.letsencrypt.org port 443 after 130912 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to acme-v02.api.letsencrypt.org port 443 after 130912 ms: Connection timed out

My web server is (include version):
Nginx 1.18.0 ubuntu
The operating system my web server runs on is (include version):
Ubuntu 22.04 LTS
I can login to a root shell on my machine (yes or no, or I don't know):
yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.29.0

Here's my iptables firewall settings:

Chain INPUT (policy DROP 810 packets, 47175 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 147K  270M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   12   704 ACCEPT     tcp  --  *      *       $$$$$$$$$/24       0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
 1199 77855 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            172.16.0.0/12       
  317 16222 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
  150  9000 ACCEPT     tcp  --  *      *       $$$$$$$$$/24       0.0.0.0/0            tcp dpt:443 state NEW

Chain OUTPUT (policy DROP 4325 packets, 296K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6100  862K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
44383  133M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
87423  137M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  615 36860 ACCEPT     all  --  *      *       172.16.0.0/12        0.0.0.0/0           
  334 24443 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

I can connect to it with Chrome https://nevermind.com/ and I can ping it; I am on IPv4 only.

$ ping nevermind.com
PING nevermind.com (45.55.233.218): 56 data bytes
64 bytes from 45.55.233.218: icmp_seq=0 ttl=38 time=84.227 ms
64 bytes from 45.55.233.218: icmp_seq=1 ttl=38 time=84.907 ms
64 bytes from 45.55.233.218: icmp_seq=2 ttl=38 time=84.128 ms
64 bytes from 45.55.233.218: icmp_seq=3 ttl=38 time=83.924 ms

You have, in the past, successfully gotten certificates from Let's Encrypt crt.sh | nevermind.com

Also SSL Server Test: nevermind.com (Powered by Qualys SSL Labs) only show an IPv4 address.

I get for

$ curl -v https://acme-v02.api.letsencrypt.org/
*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Jul  9 19:20:18 2022 GMT
*  expire date: Oct  7 19:20:17 2022 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x3e1f849000)
> GET / HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.79.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx
< date: Tue, 30 Aug 2022 14:47:43 GMT
< content-type: text/html
< content-length: 1540
< last-modified: Thu, 23 Jun 2022 21:17:41 GMT
< etag: "62b4d875-604"
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Boulder: The Let's Encrypt CA</title>

  <style type="text/css">
    header { display: flex; max-height: 30vh; flex-wrap: wrap; margin-bottom: 10vh; }
    header img { display: flex; max-height: 20vh; align-content: flex-end; margin-right: 20px; }
  </style>
</head>

<body>
  <header>
    <section>
      <img src="/static/images/LE-Logo-LockOnly.svg"/>
    </section>
    <section>
      <h1>Boulder<br>
      <small>The Let's Encrypt CA</small></h1>
    </section>
  </header>

  <section>
    <p>This is an <a href="https://tools.ietf.org/html/rfc8555">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</p>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/docs"><tt>https://letsencrypt.org/docs</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v02.api.letsencrypt.org/directory"><tt>https://acme-v02.api.letsencrypt.org/directory</a></tt>.</p>
  </section>

  <footer>
      <p>
        <a href="https://letsencrypt.status.io" title="Status">Service Status (letsencrypt.status.io)</a> |
        <a href="https://twitter.com/letsencrypt" title="Twitter">Let's Encrypt Twitter</a>
      </p>
  </footer>

</body>
</html>
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

sorry, nevermind.com is kinda placeholder, i didn't want to show the real address so I've used this one, sorry again for confusing you

Hello @shprd95,

Place holders are hard for us to test with.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

You are not making outbound connections to the Let's Encrypt API server.

Do either of these work? Please show output:

curl -4 https://ifconfig.co
curl -6 https://ifconfig.co

100% agree! Especially when they are valid domains owned by someone else

HI!

curl -4 https://ifconfig.co
curl: (28) Failed to connect to ifconfig.co port 443 after 214879 ms: Connection timed out

with curl -6 I've got the same output

Whereas I get this as my response:

$ curl -4 https://ifconfig.co
98.246.255.230

Trying to show a working response for you.

yea, thanks, i got it, gotta have this output, but unfortunately I cant

Router configuration issue on Port(s) forwarding is like the issue.

Possible cause of this time out is the incorrect routing of a too wide IP address space in the 172.0.0.0/8 block. The private IP address space related to the 172 prefix is 172.16.0.0/12, but often people don't set up the /12 correctly, but a wider address space, such as the entire 172.0.0.0/8 range. This would mess up connections to public IP addresses outside the 172.16.0.0/12 range, but inside the 172.0.0.0/8 range.

Please double check your routing for the 172.0.0.0/8 address space and make sure you have the subnet mask correctly set if you're using 172.16.0.0/12 as private address space.

and it's working fine if iptables output default policy set to accept

And so is there a problem at this point?

yes, basically i have to keep iptables OUTPUT chain to be DROP

I would have tough INPUTs bein DROPped and allowing OUTPUT, but I do not always see things and think the same as others. Let's see what good advice you get from the rest of the community.

If the connection is working with default policy set to ACCEPT and not when DROP'ed, then it must have something to do with that..

Usually, you want the OUTPUT chain to be set to ACCEPT, why would you set it to DROP? What other rules are in the OUTPUT chain?

thanks, buddy, my INPUT default police is set to DROP with allowed http, ssh e.t.c and it is working great, since i've changed OUTPUT default policy to ACCEPT it is started to reissue the certificates, that's great, but the task i have wants from me to have OUTPUT chain be DROPped by default. So there's gotta be a rule to allow connection to letsencrypt....

sure, here's my rules:

Chain INPUT (policy DROP 810 packets, 47175 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 147K  270M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   12   704 ACCEPT     tcp  --  *      *       $$$$$$$$$/24       0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
 1199 77855 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            172.16.0.0/12       
  317 16222 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
  150  9000 ACCEPT     tcp  --  *      *       $$$$$$$$$/24       0.0.0.0/0            tcp dpt:443 state NEW

Chain OUTPUT (policy DROP 4325 packets, 296K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6100  862K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
44383  133M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
87423  137M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  615 36860 ACCEPT     all  --  *      *       172.16.0.0/12        0.0.0.0/0           
  334 24443 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

when OUTPUT set to ACCEPT, then it is work, if DROP then not

And what's the local IP address of that host?