IP Blocked? Can't renew Certificates

Help
1

We are hosting a nameserver which manges multiple domains and Let's Encrypt certificates.
While trying to renew a certificate using dehydrated 7.0 (GitHub - dehydrated-io/dehydrated: letsencrypt/acme client implemented as a shell-script – just add water) the script times out with the following error message

ERROR: Problem connecting to server (head for https://acme-v02.api.letsencrypt.org/acme/new-nonce; curl returned with 7)

We also get no ping response from acme-v02.api.letsencrypt.org (gets resolved to 172.65.32.248).

FQDN: ns1.ednt.de
IP: 116.203.210.191

2

Hi @MariusK and welcome to the LE community forum :slight_smile:

Please show the outputs of:
curl --version
curl -4 ifconfig.co
curl -6 ifconfig.co
curl -4 https://acme-v02.api.letsencrypt.org/
curl -6 https://acme-v02.api.letsencrypt.org/

1 Like
3

Hi @rg305 thanks

curl --version

curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

curl -4 ifconfig.co

116.203.210.191

curl -4 https://acme-v02.api.letsencrypt.org/

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Boulder: The Let's Encrypt CA</title>

  <style type="text/css">
    header { display: flex; max-height: 30vh; flex-wrap: wrap; margin-bottom: 10vh; }
    header img { display: flex; max-height: 20vh; align-content: flex-end; margin-right: 20px; }
  </style>
</head>

<body>
  <header>
    <section>
      <img src="/static/images/LE-Logo-LockOnly.svg"/>
    </section>
    <section>
      <h1>Boulder<br>
      <small>The Let's Encrypt CA</small></h1>
    </section>
  </header>

  <section>
    <p>This is an <a href="https://github.com/ietf-wg-acme/acme/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</p>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/docs"><tt>https://letsencrypt.org/docs</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v02.api.letsencrypt.org/directory"><tt>https://acme-v02.api.letsencrypt.org/directory</a></tt>.</p>
  </section>

  <footer>
      <p>
        <a href="https://letsencrypt.status.io" title="Status">Service Status (letsencrypt.status.io)</a> |
        <a href="https://twitter.com/letsencrypt" title="Twitter">Let's Encrypt Twitter</a> |
        <a href="https://twitter.com/letsencrypt_ops" title="Twitter">Let's Encrypt Operations Twitter</a>
      </p>
  </footer>

</body>
</html>

curl -6 ifconfig.co and curl -6 https://acme-v02.api.letsencrypt.org/ get a Connection timeout

2 Likes
4

So your IPv6 connectivity is broken it seems. This has nothing to do with Let's Encrypts ACME API though, as ifconfig.co is also unreachable through IPv6.

2 Likes
5

Let's have a look at the logs:
/var/log/letsencrypt/letsencrypt.log

1 Like
6

Is IPv6 connectivity necessary?
I never really used IPv6 on any of my machines.

There are no logs in /var/log/letsencrypt/letsencrypt.log.

I checked the network configuration again i noticed that your cloud provider pushed a IPv6 gateway which doesn't seem to work.
After removing the entry I can run dehydrated again without errors.

But curl -6 ifconfig.co now returns
curl: (7) Couldn't connect to server
which makes sense because there is no default route.

7

No.

Please show:
ifconfig | grep -Ei 'add|inet'

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.