IPs blocked? Connection to api no more possible

Help
1

Hi all,

We seem to be blocked by Let's encrypt. It's not possible to connect to the API anymore (was working fine, nothing changed on our side):

My IP is:
194.230.72.227

I ran this command:
curl -4 -v https://acme-v02.api.letsencrypt.org/

It produced this output:

  • Trying 172.65.32.248:443...
    (until timeout)

Also traceroute does not work:
traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *

Pinging is fine however:
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=57 time=2.95 ms

We double checked Firewall etc. but cannot find the problem on our side. The problem just occured on a otherwise running system out of nowhere.

Any idea what it could be?

2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes
3

Dear RIP, I did not include a domain, because it's not a problem about a domain!

It's only the connection to https://acme-v02.api.letsencrypt.org/ - that is why I included the IP.

My IP is:
194.230.72.227

I ran this command:
curl -4 -v https://acme-v02.api.letsencrypt.org/

It produced this output:

  • Trying 172.65.32.248:443...
    (until timeout)
4

The traceroute and curl should respond different if Let's Encrypt were blocking your IP

What do these show

curl -I4 https://cloudflare.com

curl -I4 https://google.com
3 Likes
5

It fails on line 1, that is not LE doing the "blocking".
That is a firewall, or routing, problem - local to your system/site.
Please show either of:
netstat -nr
ip route

3 Likes
6

We have had a few cases recently of networks that couldn't route to (or otherwise blocked) the IP because 172.65 is near the 172.16.0.0/12 private IP space and systems were misconfigured to think that it was part of that block too. It would seem a bit odd if ping works and 443 doesn't, but it could be a firewall blocking TCP and allowing ICMP or something like that. Just something random to look into because it seems to have come up lately.

5 Likes
7

The traceroute shows the failure starts at line one.
Line one should be their local router/gateway.
[likely also a firewall]

Which firewalls have been checked?

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.