Valapy
August 16, 2023, 5:25pm
1
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: Any domain that I try to create.
I ran this command: curl -I https://acme-02.api.letsencrypt.org
It produced this output: curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host
My web server is (include version): Nginx-proxy docker with letsencrypt-companion
The operating system my web server runs on is (include version): Ubuntu 22.04
My hosting provider, if applicable, is: OVH
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 2.6.0
9peppe
August 16, 2023, 5:40pm
2
Valapy:
No route to host
This doesn't sound banned.
Try:
dig a +short acme-v02.api.letsencrypt.org
ip route get $(dig a +short acme-v02.api.letsencrypt.org)
5 Likes
rg305
August 16, 2023, 5:57pm
4
Sounds like someone fat fingered the 172.16/12
route...
As something like:
172/8
172/9
172/10
172/11
OR
There is a firewall rule blocking similar "overextended network" destinations.
The correct network to block [see RFC 1918] is:
CIDR 172.16.0.0/12
Net Range 172.16.0.0 - 172.31.255.255
Not anything bigger than that, like:
CIDR 172.0.0.0/9
Net Range 172.0.0.0 - 172.127.255.255
^these will overlap with legitimate Internet IPs, like:
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Addresses: 2606:4700:60:0:f53d:5624:85c7:3a2c
172.65.32.248 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Aliases: acme-v02.api.letsencrypt.org
prod.api.letsencrypt.org
4 Likes
Valapy
August 16, 2023, 8:07pm
5
dig a +short acme-v02.api.letsencrypt.org
gives the result of:
prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248
And this one:
ip route get $(dig a +short acme-v02.api.letsencrypt.org)
Gives the result:
Error: any valid prefix is expected rather than "prod.api.letsencrypt.org.".
Valapy
August 16, 2023, 8:09pm
6
I don't get it, what do you mean by "someone fat fingered the 172.16/12?" Just curious about that
It's common for networks to block 172.16.0.0/12
, since it's private IP space that shouldn't be routed on the public internet.
172.65.32.248
, which your system is trying to connect to, is not in that block, but is "nearby". But if your network administrator (or ISP?) is blocking it anyway (due to incorrectly putting in the IP range), that would explain why you can't connect to it.
We've seen it here a couple times before. Here's one recent example , but I know I've seen others.
5 Likes
9peppe
August 16, 2023, 8:23pm
8
my bad, go with
ip route get 172.65.32.248
4 Likes
Valapy
August 16, 2023, 8:27pm
9
It shows this:
172.65.32.248 dev br-a697cba443a2 src 172.65.0.1 uid 1000
rg305
August 16, 2023, 8:28pm
10
Someone may have typed in a route incorrectly = TYPO = fat fingers [hit wrong keys]
3 Likes
rg305
August 16, 2023, 8:31pm
12
Valapy:
src 172.65.0.1
It looks like you may be [incorrectly] using the network 172.65.0.0/16
for local systems.
What shows?
netstat -nr
5 Likes
Valapy
August 16, 2023, 8:52pm
13
Thanks guys, it was a mistake made my self, I assigned a network with 172.65.0.0/16 for a group of containers in docker. I was doing everything wrong about assigning IPs to each project. I will fix that and do everything right!
Thanks all, now everything is working.
5 Likes
system
Closed
September 15, 2023, 8:52pm
14
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.