Is my IP blocked?

lered · January 8, 2022, 5:25am

Hello!

The problem is the same.
I check it several times.

curl -Iv https://acme-v02.api.letsencrypt.org/directory
* About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
*   Trying 172.65.32.248...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=acme-v01.api.letsencrypt.org
*       start date: Dec 17 03:44:28 2021 GMT
*       expire date: Mar 17 03:44:27 2022 GMT
*       common name: acme-v01.api.letsencrypt.org
*       issuer: CN=R3,O=Let's Encrypt,C=US
> HEAD /directory HTTP/1.1
> User-Agent: curl/7.29.0
> Host: acme-v02.api.letsencrypt.org
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx
Server: nginx
< Date: Sat, 08 Jan 2022 05:10:33 GMT
Date: Sat, 08 Jan 2022 05:10:33 GMT
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 658
Content-Length: 658  
< Connection: keep-alive
Connection: keep-alive
< Cache-Control: public, max-age=0, no-cache
Cache-Control: public, max-age=0, no-cache
< Replay-Nonce: 0002etH3a6egwXVRibggXzlMgO7jVI_77dSUFPVHN7CUNFM
Replay-Nonce: 0002etH3a6egwXVRibggXzlMgO7jVI_77dSUFPVHN7CUNFM
< X-Frame-Options: DENY
X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
Strict-Transport-Security: max-age=604800

<
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

And check again

curl -Iv https://acme-v02.api.letsencrypt.org/directory
* About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
*   Trying 172.65.32.248...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer

MikeMcQ · January 8, 2022, 5:01pm

That is not the usual message for blocked IPs. Also, since it sometimes works you are not blocked.

Intermittent communications problems can be difficult to resolve. There are many posts on google that discuss this error message. Many of them were fixed by updating NSS and/or Curl. Your Curl version (7.29) was originally issued many years ago. What version of NSS are you using? You should first try updating these.

To satisfy yourself that it is not because of rate limiting, see if you get same error with this:

curl -I https://letsencrypt.org

JamesLE · January 9, 2022, 2:46am

Hi, @lered,

What IP address are you connecting from? If it's in Russia, this may be related to this problem that we're investigating: API service disruption for Russian subscribers

JamesLE · January 9, 2022, 3:21am

Hi, @lered,

Could you please show us the output of a traceroute to acme-v02.api.letsencrypt.org? Feel free to either post it here or send it to me as a direct message.

648944 · January 9, 2022, 4:12am

Hello, a similar problem with addresses from Russia 82.202.160.93 and 77.246.156.65
Test results:

traceroute acme-v02.api.letsencrypt.org

traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 10.12.0.1 (10.12.0.1) 0.573 ms 0.590 ms 0.632 ms
2 172.17.23.56 (172.17.23.56) 0.184 ms 0.220 ms 0.164 ms
3 89.22.17.212 (89.22.17.212) 1.616 ms 1.804 ms 1.700 ms
4 185.61.95.85 (185.61.95.85) 2.146 ms 2.208 ms 2.328 ms
5 31.28.19.100 (31.28.19.100) 3.991 ms 3.989 ms 1.785 ms
6 10.10.13.153 (10.10.13.153) 9.133 ms 9.115 ms 9.061 ms
7 spx-ix.as13335.net (194.226.100.129) 11.675 ms 11.623 ms 11.617 ms
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

mtr -s 500 -r -i0.2 -z -b 172.65.32.248

Start: Sun Jan 9 07:18:57 2022
HOST: cityhost.in Loss% Snt Last Avg Best Wrst StDev

AS??? 10.12.0.1 0.0% 10 0.3 0.5 0.2 2.5 0.6
AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
AS48166 89.22.17.212 0.0% 10 1.6 1.6 1.5 1.8 0.0
AS48166 185.61.95.85 0.0% 10 2.0 2.6 1.8 6.6 1.5
AS29076 31.28.19.100 0.0% 10 1.9 3.5 1.7 18.6 5.3
AS??? 10.10.13.153 0.0% 10 9.1 11.0 9.1 21.8 4.0
AS??? spx-ix.as13335.net ( 0.0% 10 11.7 13.3 11.5 24.9 4.2
AS13335 172.65.32.248 0.0% 10 10.5 10.4 10.3 10.5 0.0

JamesLE · January 9, 2022, 4:27am

Hi, @648944,

Thank you! If you're able to collect a raw packet capture (pcap) file of a connection attempt (e.g. using tcpdump) that would be very helpful.

lered · January 9, 2022, 4:33am

Hello!
Curl from standard Centos 7 lastupdate 3 days ago(openssl 1.0.2k-22.el7_9).
Request to https://letsencrypt.org without problem

lered · January 9, 2022, 4:49am

Yes ours networks from Russia

648944 · January 9, 2022, 5:36am

In the attachment when contacting with a curl and trying to issue a certificate.
mycap1.pcap (931 Bytes)
mycap.pcap (1.4 KB)

JamesLE · January 9, 2022, 9:41pm

We believe the network routing problem from the St. Petersburg, Russia region is now resolved. If you're still having trouble, please let us know. Thanks for your patience!

lered · January 10, 2022, 2:22am

Thank you. It's work.

system · February 9, 2022, 2:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.