It looks like my server has been blocked

Yesterday, trying to find the best configuration for my server, I reinstalled it several times with several OS (almalinux, cloudlinux, rockylinux, 8, 9) and several panels (directadmin, cpanel, etc.) and with each test, a new certificate for the same domain.
I believe that with this I exceeded the limit and now that I found the ideal configuration (almalinux9 + cpanel), I can't recreate my registration and make the certificates to start working.
My IP is 207.244.240.35. If something can be done to free me, I would appreciate it, otherwise, is it possible to at least let me know when the blockade ends?

I've moved this thread to the help category. If you fill out this questionnaire volunteers have more information to help you (in particular the domain name is relevant):


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

7 Likes

My domain is:

ziggui.com.br and zigguy.info

I ran this command:

cPanel auto ssl and recreate acc by whm

It produced this output:

API failure: Net::ACME2::x::HTTP::Network: The system failed to send an HTTP “GET” request to “https://acme-v02.api.letsencrypt.org/directory” because of an error: SSL connection failed for acme-v02.api.letsencrypt.org: SSL connect attempt failed error:0A000086:SSL routines::certificate verify failed ...propagated at /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2/HTTP.pm, line 225

My web server is (include version):

VPS Linux

The operating system my web server runs on is (include version):

CloudLinux 9

My hosting provider, if applicable, is:

Contabo

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
cPanel 120

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I don´t know

That errors says your system does not trust the certificate when connecting to the Let's Encrypt API. Let's see what that cert is. Can you show output of this:

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
3 Likes

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
CONNECTED(00000003)

Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 27 10:48:17 2024 GMT; NotAfter: Jul 26 10:48:16 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
DONE

1 Like

That's the expected cert. Hmm. What does this show?

curl -I https://acme-v02.api.letsencrypt.org/directory
3 Likes

server: nginx
date: Wed, 15 May 2024 18:06:55 GMT
content-type: application/json
content-length: 747
cache-control: public, max-age=0, no-cache
replay-nonce: 7n34iCGfGSpcrhcXUwEYVU3M0oF1usq1qnwH7180HXJelq08-_c
x-frame-options: DENY
strict-transport-security: max-age=604800

Does your cPanel still give that same error about "certificate verify failed"?

Because openssl and curl both look fine. I was just wondering if something has changed which might allow it to work now.

Oh, and since openssl and curl both can reach the acme-v02 endpoint we know you are not blocked by Let's Encrypt

5 Likes

Same error again.
It does not create the certificate for those who do not yet have it and does not allow me to recreate my Let's Encrypt account:

API failure: Net::ACME2::x::HTTP::Network: The system failed to send an HTTP “GET” request to “https://acme-v02.api.letsencrypt.org/directory” because of an error : SSL connection failed for acme-v02.api.letsencrypt.org: SSL connect attempt failed error:0A000086:SSL routines::certificate verify failed ...propagated at /usr/local/cpanel/3rdparty/perl/536/cpanel- lib/Net/ACME2/HTTP.pm, line 225

And there's no point in reinstalling the server. I've tried twice after this error appeared the first time.

I'm not really familiar with Perl, but which root certificate store does it use? Some Perl library of the systems store?

2 Likes

I don't know which root store Perl uses either.

@vpettens Do you have to use cPanel / Perl to get your certificate?

Because there are many other ACME Clients. The acme.sh client uses 'curl' requests which we already saw worked fine. Many others would probably be fine too. The problem looks like cPanel / Perl is using its own CA Root Store which does not include the ISRG Root X1 cert. Which is odd since it has been out for years. 'curl' would be using the o/s root store by default.

Which o/s did you end up using?

3 Likes

Friend, to be honest with you, I have no idea, but I believe it's not on this side. Everything was ok, I had just recreated the Lets Encript account, issued a certificate for ziggui.com.br and suddenly this error appeared when issuing the zigguy.info SSL

My mistake in this story was having reinstalled it without asking for help first.

At the beginning of the conversation I speculated that I might have exceeded the emissions limit because I actually formatted the machine many times until I found the most suitable combination for my low level of experience and how cPanel creates many subdomains for itself with each new one. domain created and issues certificates to everyone, this could be a cause.
I know I could be wrong, but in my understanding, either I'm blocked on the other side or I've exceeded the limit for the week.
All I'm asking is to check if it was exceeded and tell me when it ends, or if the IP blocked for another reason and can be released.
If none of the alternatives are true, I will need to resolve it with the Data Center

Your IP is not blocked. The curl and openssl test proved that.

The error message in your first post shows a connection failure from your machine to the Let's Encrypt API. You haven't even reached the stage where LE would check if you exceeded some other rate limit.

Ignoring that though there is one rate limit you would be hitting. There is a limit of 5 certs with the identical set of names per week allowed. You have 5 wildcard certs with only the below two names so not another wildcard cert with only exactly these two names for another few days.

*.ziggui.com.br
ziggui.com.br

But, I don't see any other cert combinations reaching that limit. See crt.sh | ziggui.com.br

I don't see any certs issued for the zigguy.info domain

There are limits for too many failed challenges per hour per account but the error message about this is pretty clear. As noted, the error in your first post was even before a challenge was tried so is not involved with that.

4 Likes

I believe the same issue could be caused by the root store having the ISRG Root X1 cert and the expired DST Root CA X3 cert as well. If this was caused by the latter cert being present, removing it should work.

2 Likes

I deleted everything about the certificates on the machine, the error remains the same. I will try to reinstall again. I'll let you know tomorrow if it works.

Thank you for your dedication to helping me

1 Like

Solved right here. I reinstalled the machine without cloudlinux this time and everything works normally now. Anyway, it must be a bug in the cpanel installation when part of the machine has already been converted to cloudlinux.

Thank you for your help and I apologize for my mistake

3 Likes

I don't know why DST would be involved connecting to the acme-v02 endpoint. That uses the short chain and has for some time.

In any case, it got resolved.

3 Likes

I thought it could have been cached through another site (1st visit long chain, second visit short chain but short circuit logic goes to the cached value), but I just reread the post and the OP has a fresh install so that could not have happened.

4 Likes

Good morning my new friends

It gave me the same error again and it must really be a problem with cPanel, as I just noticed that my other server, which was perfect, now has the same problem. Must be some update.
I'll ask for support there.
I still have little knowledge, but your comments will direct me to specific topics to study.

Who knows, maybe at some point it will be me trying to help? ---laughs---

It was a rewarding and positive experience.

Thank you very much from the bottom of my heart to everyone!

1 Like