I was trying to generate a cert for admlabo.sxpert.org (among other domains), and it wouldn’t connect over IPv6
using curl -v to test the connection to the API server, it would block at the ALPN part
I was able to obtain a cert by setting the server’s name and ipv4 in /etc/hosts
here’s the result of the mtr command :
mtr --report -w --as acme-v01.api.letsencrypt.org
AS50620 cerbere.sxpert.org 0.0% 10 0.4 0.4 0.3 0.4 0.0
AS50620 crs3-gre.as50620.net 0.0% 10 9.0 10.3 8.8 19.9 3.4
AS??? 10gigabitethernet-2-2.par2.he.net 0.0% 10 9.6 12.4 8.9 30.3 6.6
AS??? 100ge5-2.core1.fra1.he.net 0.0% 10 21.0 24.2 18.2 36.7 5.6
AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
AS5511 et3-0-1-0.pastr3.Pastourelle.opentransit.net 0.0% 10 26.9 24.1 19.4 48.5 8.9
AS5511 akamai.GW.opentransit.net 0.0% 10 19.7 32.2 19.7 115.2 30.2
AS20940 2a02:26f0:108:189::3d5 0.0% 10 19.7 20.2 19.6 21.6 0.3
mtr -4 --report -w --as acme-v01.api.letsencrypt.org
AS50620 cerbere.sxpert.org 0.0% 10 0.4 0.3 0.3 0.4 0.0
AS50620 crs3-gre.as50620.net 0.0% 10 9.4 9.2 8.6 10.9 0.6
AS??? akamai.par.franceix.net 0.0% 10 11.5 12.1 10.0 17.0 2.7
AS20940 a23-38-4-37.deploy.static.akamaitechnologies.com 0.0% 10 9.0 9.9 9.0 12.4 0.8
isk
May 5, 2017, 5:38pm
2
Can you be more specific about ‘wouldn’t connect’? Is it timing out?
If you’d try the following command and past the output it could be helpful:curl -vv -H "Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace" https://acme-v01.api.letsencrypt.org/directory
this seems to be a heisenbug...
mtr -6 --report -w --as acme-v01.api.letsencrypt.org
AS50620 cerbere.sxpert.org 0.0% 10 0.3 0.8 0.3 4.6 1.3
AS50620 crs3-gre.as50620.net 0.0% 10 9.2 10.5 8.8 19.7 3.4
AS??? 10gigabitethernet-2-2.par2.he.net 0.0% 10 24.4 25.6 11.7 33.6 6.7
AS??? akamai.par.franceix.net 0.0% 10 10.7 12.8 10.5 15.9 2.0
AS20940 2a02:26f0:2d:180::3d5 0.0% 10 11.1 10.8 9.2 16.0 2.1
as for your command, I get :https://acme-v01.api.letsencrypt.org/acme/key-change ",https://acme-v01.api.letsencrypt.org/acme/new-authz ",https://acme-v01.api.letsencrypt.org/acme/new-cert ",https://acme-v01.api.letsencrypt.org/acme/new-reg ",https://acme-v01.api.letsencrypt.org/acme/revoke-cert "
stderr:
Trying 2a02:26f0:2d:180::3d5...
Connected to acme-v01.api.letsencrypt.org (2a02:26f0:2d:180::3d5) port 443 (#0 )
found 173 certificates in /etc/ssl/certs/ca-certificates.crt
found 694 certificates in /etc/ssl/certs
ALPN, offering http/1.1
SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
server certificate verification OK
server certificate status verification SKIPPED
common name: *.api.letsencrypt.org (matched)
server certificate expiration date OK
server certificate activation date OK
certificate public key: RSA
certificate version: #3
subject: CN=*.api.letsencrypt.org,O=INTERNET SECURITY RESEARCH GROUP,L=Mountain View,ST=California,C=US
start date: Fri, 26 Jun 2015 17:05:45 GMT
expire date: Mon, 25 Jun 2018 17:05:45 GMT
issuer: C=US,O=IdenTrust,OU=TrustID Server,CN=TrustID Server CA A52
compression: NULL
ALPN, server accepted to use http/1.1
GET /directory HTTP/1.1acme-v01.api.letsencrypt.org /
< HTTP/1.1 200 OKa88-221-15-117.deploy.akamaitechnologies.com (AkamaiGHost/8.3.2.1-19774280) (-)value=cloudmonitor.api.letsencrypt.org a2-18-240-87.deploy.akamaitechnologies.com (AkamaiGHost/8.3.2.1-19774280) (-)
isk
May 5, 2017, 10:54pm
4
Glad that it’s working for you now!
If it starts failing again an mtr and the curl with all the Akamai pragma may help us find out what’s going on.
system
June 4, 2017, 11:06pm
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.