I think my home IP is blocked for my Caddy server

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: erfianugrah.com

I ran this command:
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
cat /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

It produced this output:

22849863120704:error:02002071:system library:connect:No route to host:crypto/bio/b_sock2.c:110:
22849863120704:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
22849863120704:error:02002065:system library:connect:Network is unreachable:crypto/bio/b_sock2.c:110:
22849863120704:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=101

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

My web server is (include version):
Caddy v2.7.6

The operating system my web server runs on is (include version):
Unraid 6.12.10

My hosting provider, if applicable, is:
Home usage

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Caddy server

2

This is an error from your side, not from Let's Encrypt side. Are you trying to use IPv4 or IPv6 to connect? What's your routing table or a traceroute look like? We've seen some cases where firewalls or networks were misconfigured and thought that Let's Encrypt's server IP was in their own private network instead of being a normal public IP.

5 Likes
3

Side Note: Using the online tool Let's Debug yields these results
https://letsdebug.net/erfianugrah.com/1943315

CloudflareCDN
WARNING
The domain erfianugrah.com is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-
2 Likes
4

What show?:

  • dig acme-v02.api.letsencrypt.org
  • traceroute -T -p 443 acme-v02.api.letsencrypt.org
4 Likes
5

Side note: here is a list of issued certificates crt.sh | erfianugrah.com, the latest being 2024-05-10 issued from "C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA"

The latest Let’s Encrypt issued certificate was 2024-05-07.

And this is shows the presently being severed certificate SSL Checker
is this certificate crt.sh | 12979582034

3 Likes
6

Think you're right, this didn't happen before but when I update the Caddy compose, one of my other docker networks had the same IP range as LE one, so it was going to the private network gateway instead of to the internet

1 Like
7

Not the first time we've seen a system confused about which IPs are in private IP space.

Glad you got it figured out!

5 Likes
8

Just for the sake of posterity, "Let's Encrypt is blocking my IP" is (almost) never the reason you can't get a cert. I kind of wish I knew why people are so inclined to jump to this conclusion, because it's vanishingly rare that it's actually the case.

6 Likes
9

Agreed, they have stated that they [LE] only ever block a handful of IPs [and not forever].
So, the odds are staggeringly against such a thing ever happening.
Yet... that is their [customers] obvious conclusion.

4 Likes
10

I just saw a case whereby it was actually the case and this hasn't happened to me before (I did get rate-limited before cause I hosted a lot of applications at home), and in my Caddy config, I specifically used an external resolver (1.1.1.1 in this case) but somehow it got routed to the gateway instead, but lesson learnt.

11

"just" as in recent? And on this forum?

Because I think I've read every thread for many months and don't recall a recent legit case of Let's Encrypt blocking an IP. Yes, there have been some long ago but it is exceedingly rare as already noted.

People sometimes claim that's what happened to avoid admitting an error of their own. We see that more often than LE blocking an IP :slight_smile:

3 Likes
12

Just as in me just finding as opposed to the post being recent, I think it was from 2021, and the problem statement is very similar to mine. And I didn't immediately think it would be a PEBCAK since I made no changes to my router or the Caddy config as of late, so that's why the post. But ya in this case, it was somehow routed to an internal gateway even though an external resolver was set, and I didn't use any PBRs on the router side of things to route DNS queries.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.