Is my IP Blocked?

Hello,

I receive an alert for certificat renewal, it' automatic with certbot but not this time. Here is the information :

I ran this command: certbot --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
An unexpected error occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 144, in _new_conn
(self.host, self.port), self.timeout, **extra_kw)
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 83, in create_connection
raise err
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 73, in create_connection
sock.connect(sa)
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 298, in connect
conn = self._new_conn()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 149, in _new_conn
(self.host, self.timeout))
urllib3.exceptions.ConnectTimeoutError: (<urllib3.connection.VerifiedHTTPSConnection object at 0x7f26bdc50710>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f26bdc50710>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))

During handling of the above exception, another exception occurred:

requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f26bdc50710>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is : nginx version: nginx/1.14.0 (Ubuntu)

OS : Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-167-generic x86_64)

The version of my client is : certbot 0.31.0

ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
From *** (172.65.0.1) icmp_seq=1 Destination Host Unreachable
From *** (172.65.0.1) icmp_seq=2 Destination Host Unreachable
From *** (172.65.0.1) icmp_seq=3 Destination Host Unreachable
From *** (172.65.0.1) icmp_seq=5 Destination Host Unreachable
From *** (172.65.0.1) icmp_seq=6 Destination Host Unreachable
From *** (172.65.0.1) icmp_seq=7 Destination Host Unreachable

curl https://acme-v02.api.letsencrypt.org/directory
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

I can give you my domain and IP in private message.

Many thanks

EDIT :
curl -v https://acme-v02.api.letsencrypt.org/directory

• Trying 172.65.32.248...
• TCP_NODELAY set
• Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
• TCP_NODELAY set
• connect to 172.65.32.248 port 443 failed: No route to host
• connect to 2606:4700:60:0:f53d:5624:85c7:3a2c port 443 failed: Connection timed out
• Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out
• Closing connection 0
  curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

Please show results of these two commands:

curl -4 http://ifconfig.co
curl -6 http://ifconfig.co

Hello,

curl -4 http://ifconfig.co
163...*

curl -6 http://ifconfig.co
no response

Thanks a lot

I consulted with others. That is not usual failure when Let's Encrypt blocks IP.

Looks more like routing issue on your end or even a datacenter problem within Cloudflare due to this:

From *** (172.65.0.1) icmp_seq=1 Destination Host Unreachable

Note the ifconfig.co website is also served by Cloudflare but perhaps different edges than Let's Encrypt uses (I did not check).

Is this problem persisting?

Thank you.
Yes the problem has persisted for at least 20 days because my certificates will expire in 10 days...

Could you perhaps run the following command? This will make a traceroute, but use TCP and use port 443 as the destination, just like a regular HTTPS connection would:

sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org

Hello,

traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 My-Server (172.65.0.1) 3056.622 ms !H 3056.558 ms !H 3056.545 ms !H

That's a very strange traceroute. The IP address 172.65.0.1 is from Cloudflare. I'm pretty sure your server is NOT a server from Cloudflare, so why would it respond with "!H" (host unreachable) and with the IP address from Cloudflare as source?

Usually, the IP address of the host corresponding with the step (1 in this case) would be the source address.

Anyway, if your server is already answering with "!H", it means your server is blocking access to acme-v02.api.letsencrypt.org.

Hello,
The problem is indeed with my server. An internal Docker network is in conflict with the Cloudflare network...
Everything works fine after changing this Docker network.
Thanks for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.