I think my Server IP is blocked or something

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Any domain that I try to create.

I ran this command: curl -I https://acme-02.api.letsencrypt.org

It produced this output: curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host

My web server is (include version): Nginx-proxy docker with letsencrypt-companion

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

This doesn't sound banned.

Try:

dig a +short acme-v02.api.letsencrypt.org

ip route get $(dig a +short acme-v02.api.letsencrypt.org)

5 Likes

Sounds like someone fat fingered the 172.16/12 route...
As something like:
172/8
172/9
172/10
172/11

OR

There is a firewall rule blocking similar "overextended network" destinations.

The correct network to block [see RFC 1918] is:
CIDR 172.16.0.0/12
Net Range 172.16.0.0 - 172.31.255.255

Not anything bigger than that, like:
CIDR 172.0.0.0/9
Net Range 172.0.0.0 - 172.127.255.255
^these will overlap with legitimate Internet IPs, like:

Name:      ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Addresses: 2606:4700:60:0:f53d:5624:85c7:3a2c
           172.65.32.248     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Aliases:   acme-v02.api.letsencrypt.org
           prod.api.letsencrypt.org
4 Likes
dig a +short acme-v02.api.letsencrypt.org 

gives the result of:

prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248

And this one:

ip route get $(dig a +short acme-v02.api.letsencrypt.org)

Gives the result:

Error: any valid prefix is expected rather than "prod.api.letsencrypt.org.".

I don't get it, what do you mean by "someone fat fingered the 172.16/12?" Just curious about that

It's common for networks to block 172.16.0.0/12, since it's private IP space that shouldn't be routed on the public internet.

172.65.32.248, which your system is trying to connect to, is not in that block, but is "nearby". But if your network administrator (or ISP?) is blocking it anyway (due to incorrectly putting in the IP range), that would explain why you can't connect to it.

We've seen it here a couple times before. Here's one recent example, but I know I've seen others.

5 Likes

my bad, go with

ip route get 172.65.32.248
4 Likes

It shows this:

172.65.32.248 dev br-a697cba443a2 src 172.65.0.1 uid 1000 

Someone may have typed in a route incorrectly = TYPO = fat fingers [hit wrong keys]

3 Likes

It looks like you may be [incorrectly] using the network 172.65.0.0/16 for local systems.

What shows?
netstat -nr

5 Likes

Thanks guys, it was a mistake made my self, I assigned a network with 172.65.0.0/16 for a group of containers in docker. I was doing everything wrong about assigning IPs to each project. I will fix that and do everything right!

Thanks all, now everything is working.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.