Resolved - thanks

tkaefer · October 21, 2022, 3:05pm

Hi,

I cannot start the registration, my IP (89.58.53.31) seems top be blocked:

curl -4 -v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* connect to 172.65.32.248 port 443 failed: Keine Route zum Zielrechner
* Failed to connect to acme-v02.api.letsencrypt.org port 443: Keine Route zum Zielrechner
* Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Keine Route zum Zielrechner
root@three:/srv/docker/run/rproxy# curl -4v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* connect to 172.65.32.248 port 443 failed: Keine Route zum Zielrechner
* Failed to connect to acme-v02.api.letsencrypt.org port 443: Keine Route zum Zielrechner
* Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Keine Route zum Zielrechner

Background:
I've just ordered this server from the ISP. It seems as the IP has been misused or something in the past.
Now I need to remove it from several black lists.

Bruce5051 · October 21, 2022, 3:10pm

Hello @tkaefer, welcome to the Let's Encrypt community.

It would seem you have a connectivity issue.
You failed to connect out from your system.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

tkaefer · October 21, 2022, 3:40pm

My domain is:
nc.666s.de (but it never cmae to a registration request for this new server)

I ran this command:
I am running this docker-compose setup: GitHub - evertramos/nginx-proxy-automation: Automated docker nginx proxy integrated with letsencrypt.

It produced this output:
letsencrypt-auto | [Fri Oct 21 15:33:42 UTC 2022] Please refer to libcurl - Error Codes for error code: 7
letsencrypt-auto | [Fri Oct 21 15:33:42 UTC 2022] Could not get nonce, let's try again.

My web server is (include version):
/ # nginx -v
nginx version: nginx/1.22.1

The operating system my web server runs on is (include version):
dockerized debian

My hosting provider, if applicable, is: netcup

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

/app # ./acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.9.0

On the host and the docker container, running some debug things:

 curl -4v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* connect to 172.65.32.248 port 443 failed: Keine Route zum Zielrechner
* Failed to connect to acme-v02.api.letsencrypt.org port 443: Keine Route zum Zielrechner
* Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Keine Route zum Zielrechner

curl -4v https://google.com
*   Trying 142.250.186.142:443...
* Connected to google.com (142.250.186.142) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.google.com
*  start date: Sep 12 08:17:00 2022 GMT
*  expire date: Dec  5 08:16:59 2022 GMT
*  subjectAltName: host "google.com" matched cert's "google.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x562e415cb2c0)
> GET / HTTP/2
> Host: google.com
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 301
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< date: Fri, 21 Oct 2022 15:39:55 GMT
< expires: Fri, 21 Oct 2022 15:39:55 GMT
< cache-control: private, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< set-cookie: CONSENT=PENDING+209; expires=Sun, 20-Oct-2024 15:39:55 GMT; path=/; domain=.google.com; Secure
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host google.com left intact

curl -6v https://acme-v02.api.letsencrypt.org/directory
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
* Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Sep  8 19:39:52 2022 GMT
*  expire date: Dec  7 19:39:51 2022 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5613249672c0)
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx
< date: Fri, 21 Oct 2022 15:40:17 GMT
< content-type: application/json
< content-length: 659
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
{
  "huASqIF1PMs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

Bruce5051 · October 21, 2022, 3:53pm

Here is what I see, and I successfully connect to https://acme-v02.api.letsencrypt.org/directory

$ curl -4 -v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Sep  2 19:13:12 2022 GMT
*  expire date: Dec  1 19:13:11 2022 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55a0f3eb9480)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 200
< server: nginx
< date: Fri, 21 Oct 2022 15:50:00 GMT
< content-type: application/json
< content-length: 659
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
{
  "GBQqpu_e4Io": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
}

This seem that you have a connectivity issue, possibly routing NAT firewall etc.

tkaefer:

 curl -4v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* connect to 172.65.32.248 port 443 failed: Keine Route zum Zielrechner
* Failed to connect to acme-v02.api.letsencrypt.org port 443: Keine Route zum Zielrechner
* Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Keine Route zum Zielrechner

Bruce5051 · October 21, 2022, 4:03pm

Also with https://check-host.net/ I see several locations around the world that cannot connect, several can
Check report was removed: Check host - online website monitoring

Bruce5051 · October 21, 2022, 4:12pm

Here is what https://letsdebug.net/ with HTTP-01 Challenge is showing:
Let's Debug
Some IP Addressing Errors.

Bruce5051 · October 21, 2022, 4:14pm

Also here is a list of certificates that have been issued crt.sh | nc.666s.de, the latest being 2022-09-18.

tkaefer · October 21, 2022, 4:41pm

Resolved. Thanks.

Bruce5051 · October 21, 2022, 4:43pm

You are welcome @tkaefer.
Do you know what resolved the issue?
Thanks!

tkaefer · October 21, 2022, 4:59pm

A missing netmask 255.255.255.255 in /etc/network/interfaces for a secondary IP.

I got misled by an other post here, similar error description. But I didn't do my own backyard cleaning first.

ip r showed me a strange routing entry for that secondary IP.

strangely I do have a default gateway and the secondary IP had a /32 network suffix attached.

Anyways thanks.

Bruce5051 · October 21, 2022, 5:03pm

Thanks again!

system · November 20, 2022, 5:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.