Is my IP being blocked?

Help
1

Hi,
I'm seeing a similar problem. IP: 185.22.232.228

[root@p479095 ~]# echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
write:errno=104
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
[root@p479095 ~]# echo | openssl s_client -connect google.com:443 | head
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
DONE
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=*.google.com
   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---

IP: 185.22.232.228

2 Likes
2

Hi, @avkernel,

We're not blocking or rate limiting your IP addresses, but your report looks like it's related to this problem that we're investigating: API service disruption for Russian subscribers

5 Likes
3

Hi, @avkernel,

Could you please show us the output of a traceroute to acme-v02.api.letsencrypt.org? Feel free to either post it here or send it to me as a direct message.

5 Likes
4

root@hostvds:~# mtr -n -r -c 10 acme-v02.api.letsencrypt.org
Start: 2022-01-09T05:43:16+0000
HOST: hostvds Loss% Snt Last Avg Best Wrst StDev
1.|-- 45.156.26.1 0.0% 10 0.5 0.4 0.3 0.6 0.1
2.|-- 30.200.200.102 0.0% 10 0.7 0.6 0.5 0.7 0.1
3.|-- 10.70.0.3 0.0% 10 0.7 0.7 0.5 1.2 0.2
4.|-- 10.80.96.1 0.0% 10 0.6 0.7 0.6 0.8 0.1
5.|-- 169.254.0.5 0.0% 10 0.7 0.6 0.5 0.9 0.1
6.|-- 169.254.0.0 80.0% 10 0.7 0.7 0.7 0.7 0.0
7.|-- 80.64.102.142 20.0% 10 0.9 3.4 0.9 16.6 5.4
8.|-- 80.64.102.142 80.0% 10 9.7 5.6 1.6 9.7 5.7
9.|-- 80.64.108.35 20.0% 10 36.0 24.4 21.6 36.0 4.8
10.|-- 80.64.108.35 0.0% 10 21.3 21.4 21.0 22.6 0.5
11.|-- 172.65.32.248 0.0% 10 21.2 21.2 21.0 21.4 0.1

3 Likes
5

Hi, @JamesLE

Can you help me? THX!

I'm having a problem with IP 185.41.163.63

curl --interface 185.41.163.63 -v "https://acme-v02.api.letsencrypt.org/acme/new-nonce"
*   Trying 172.65.32.248...
* TCP_NODELAY set
* Name '185.41.163.63' family 2 resolved to '185.41.163.63' family 2
* Local port: 0
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443

But with second IP 185.41.163.27 - OK

curl --interface 185.41.163.27 -v "https://acme-v02.api.letsencrypt.org/acme/new-nonce"
*   Trying 172.65.32.248...
* TCP_NODELAY set
* Name '185.41.163.27' family 2 resolved to '185.41.163.27' family 2
* Local port: 0
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v01.api.letsencrypt.org
*  start date: Dec 16 20:16:50 2021 GMT
*  expire date: Mar 16 20:16:49 2022 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x562aee3eedc0)
> GET /acme/new-nonce HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 204
< server: nginx
< date: Sun, 09 Jan 2022 05:56:00 GMT
< cache-control: public, max-age=0, no-cache
< link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
< replay-nonce: 00014-0ZkZ3w4xjew38JZ3r36uF1Dpv5SMzwUa40HatmFv8
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
* Curl_http_done: called premature == 0
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
4 Likes
6

Hi, @Vitaly,

Thanks for the data! This definitely seems related to the ongoing problem, and I've added this to our data set. If you're able to provide traceroutes or packet captures, too, that would be helpful. I seem to be seeing a pattern where small requests (like simple GET requests) succeed sometimes but fail other times, and larger POSTs are mostly failing.

6 Likes
7

@JamesLE Thx for you reply!

mtr 172.65.32.248                                                                                                                                                                                                  
Host                                                                                                                                                                                                             Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 10.12.1.121                                                                                                                                                                                                    0.0%     9    0.1   0.2   0.1   0.3   0.0
 2. 10.12.0.2                                                                                                                                                                                                      0.0%     8    0.3   0.2   0.2   0.3   0.0
 3. 10.100.0.100                                                                                                                                                                                                   0.0%     8    0.4   0.3   0.2   0.4   0.0
 4. spx-ix.as13335.net                                                                                                                                                                                             0.0%     8   34.7  36.0  34.2  46.1   4.0
 5. 172.65.32.248                                                                                                                                                                                                  0.0%     8   28.8  28.8  28.7  29.0   0.0

traceroute 172.65.32.248
traceroute to 172.65.32.248 (172.65.32.248), 30 hops max, 60 byte packets
 1  10.12.1.121 (10.12.1.121)  0.120 ms  0.093 ms  0.076 ms
 2  10.12.0.2 (10.12.0.2)  0.126 ms  0.117 ms  0.099 ms
 3  10.100.0.100 (10.100.0.100)  0.160 ms  0.149 ms  0.199 ms
 4  spx-ix.as13335.net (194.226.100.129)  38.415 ms  38.406 ms  36.478 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

curl "https://acme-v02.api.letsencrypt.org/acme/new-nonce"

tcpdump -np -i eth0 host 172.65.32.248
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:33:25.526817 IP 185.41.163.27.59008 > 172.65.32.248.443: Flags [S], seq 1630977186, win 29200, options [mss 1460,sackOK,TS val 327748621 ecr 0,nop,wscale 7], length 0
09:33:25.562951 IP 172.65.32.248.443 > 185.41.163.27.59008: Flags [S.], seq 7622902, ack 1630977187, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
09:33:25.563056 IP 185.41.163.27.59008 > 172.65.32.248.443: Flags [.], ack 1, win 229, length 0
09:33:25.572402 IP 185.41.163.27.59008 > 172.65.32.248.443: Flags [P.], seq 1:518, ack 1, win 229, length 517
09:33:25.608572 IP 172.65.32.248.443 > 185.41.163.27.59008: Flags [.], ack 518, win 67, length 0
09:33:40.881268 IP 172.65.32.248.443 > 185.41.163.27.59008: Flags [.], ack 518, win 67, length 0
09:33:40.881355 IP 185.41.163.27.59008 > 172.65.32.248.443: Flags [.], ack 1, win 229, length 0
09:33:40.881443 IP 172.65.32.248.443 > 185.41.163.27.59008: Flags [R.], seq 1, ack 518, win 67, length 0
09:33:40.917434 IP 172.65.32.248.443 > 185.41.163.27.59008: Flags [R], seq 7622903, win 0, length 0
5 Likes
8

We believe the network routing problem from the St. Petersburg, Russia region is now resolved. If you're still having trouble, please let us know. Thanks for your patience!

6 Likes
9

@JamesLE

Thanks! It's worked for me! :+1:

5 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.