Let's Encrypt Does not Working (Blocked)?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: uplesk.citrahost.com

I ran this command: letsdebug.net

It produced this output:
172.104.24.29 - - [28/Nov/2022:15:44:20 +0700] "GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1" 200 0 "-" "Mozilla/5.0 (compatible; Let's Debug emulating Let's Encrypt validation server; +https://letsdebug.net)"
35.91.39.140 - - [28/Nov/2022:15:44:20 +0700] "GET /.well-known/acme-challenge/qCo4xpDddL0Ou8tOp1MdyV0qHWz1kqfuLjU8RpZ0Uvk HTTP/1.1" 404 268 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
13.58.204.191 - - [28/Nov/2022:15:44:20 +0700] "GET /.well-known/acme-challenge/qCo4xpDddL0Ou8tOp1MdyV0qHWz1kqfuLjU8RpZ0Uvk HTTP/1.1" 404 268 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.104.24.29 - - [28/Nov/2022:15:44:20 +0700] "GET / HTTP/1.1" 200 432 "-" "Go-http-client/1.1"

My web server is (include version): nginx version: nginx/1.20.2

The operating system my web server runs on is (include version): CloudLinux with CentOS 7

My hosting provider, if applicable, is: Plesk Control Panel

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obisidan 18.0.47

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Using SSLit!

I ran this command on my shell (ping)
[root@uplesk devaLE]# fping < ips.txt
acme-v02.api.letsencrypt.org is alive
ocsp.root-x1.letsencrypt.org is alive
e1.o.lencr.org is alive
e2.o.lencr.org is alive
r3.o.lencr.org is alive
r4.o.lencr.org is alive
letsencrypt.org is alive
acme-staging-v02.api.letsencrypt.org is alive
ocsp.staging-x1.letsencrypt.org is alive
ocsp.int-x3.letsencrypt.org is alive
ocsp.int-x4.letsencrypt.org is alive
oak.ct.letsencrypt.org is unreachable
sapling.ct.letsencrypt.org is unreachable

then using traceroute each IP Let's Encrypt, its produced this
[root@centos ]# traceroute to acme-staging-v02.api.letsencrypt.org (172.65.46.172), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.379 ms 0.315 ms 0.257 ms
2 103-101-136-45.as58500.net (103.101.136.45) 10.546 ms 10.622 ms 10.658 ms
3 * * *
4 * * *
...
27 * * *
28 * * *
29 * * *
30 * * *
[root@centos ]# traceroute to e1.o.lencr.org (23.50.117.170), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.400 ms 0.275 ms 0.208 ms
2 103.123.16.3 (103.123.16.3) 0.430 ms 0.357 ms 0.611 ms
3 cyber.dmix.bdr1.cgk.as23951.net (202.152.153.216) 8.541 ms 8.726 ms 8.738 ms
4 jktix.as23951.net (117.20.51.56) 8.780 ms 8.659 ms 8.720 ms
5 119.11.184.37 (119.11.184.37) 149.405 ms * *
6 a23-50-117-170.deploy.static.akamaitechnologies.com (23.50.117.170) 8.615 ms 8.844 ms 8.783 ms
[root@centos ]# traceroute to e2.o.lencr.org (23.50.117.170), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.316 ms 0.214 ms 0.218 ms
2 103.123.16.3 (103.123.16.3) 0.461 ms 0.350 ms 0.299 ms
3 cyber.dmix.bdr1.cgk.as23951.net (202.152.153.216) 8.599 ms 8.617 ms 8.634 ms
4 jktix.as23951.net (117.20.51.56) 8.676 ms 8.666 ms 8.619 ms
5 * 119.11.184.37 (119.11.184.37) 88.412 ms *
6 a23-50-117-170.deploy.static.akamaitechnologies.com (23.50.117.170) 8.580 ms 8.600 ms 8.665 ms
[root@centos ]# traceroute to letsencrypt.org (35.198.196.16), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.287 ms 0.233 ms 0.203 ms
2 103.123.17.170 (103.123.17.170) 0.588 ms 0.536 ms 0.462 ms
3 202-152-153-36.as23951.net (202.152.153.36) 10.542 ms 10.365 ms 10.537 ms
4 142.250.170.114 (142.250.170.114) 12.168 ms 12.190 ms 12.887 ms
5 * * *
6 * * *
...
29 * * *
30 * * *
[root@centos ]# traceroute to oak.ct.letsencrypt.org (3.12.255.4), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.310 ms 0.340 ms 0.243 ms
2 103.123.16.1 (103.123.16.1) 0.419 ms 0.575 ms 0.313 ms
3 202.65.112.1 (202.65.112.1) 0.570 ms 0.581 ms 0.474 ms
4 36.91.238.17 (36.91.238.17) 2.062 ms 8.133 ms 7.970 ms
5 180.240.192.33 (180.240.192.33) 45.352 ms 45.175 ms 45.329 ms
6 180.240.192.229 (180.240.192.229) 251.908 ms 251.565 ms 180.240.192.89 (180.240.192.89) 248.894 ms
7 180.240.192.89 (180.240.192.89) 248.417 ms equinix02-iad2.amazon.com (206.126.236.35) 307.459 ms 307.498 ms
8 equinix02-iad2.amazon.com (206.126.236.35) 307.132 ms 307.039 ms *
9 * * *
10 * * *
11 52.95.1.217 (52.95.1.217) 252.442 ms 52.95.1.109 (52.95.1.109) 264.557 ms *
12 52.95.2.193 (52.95.2.193) 259.918 ms 52.95.1.214 (52.95.1.214) 257.729 ms 52.95.1.163 (52.95.1.163) 253.256 ms
13 52.95.1.108 (52.95.1.108) 269.699 ms * 52.95.2.218 (52.95.2.218) 255.720 ms
14 * 52.93.130.131 (52.93.130.131) 263.129 ms 15.230.135.118 (15.230.135.118) 256.283 ms
15 54.239.42.216 (54.239.42.216) 257.332 ms 15.230.135.122 (15.230.135.122) 256.354 ms 54.239.42.98 (54.239.42.98) 256.819 ms
16 * 108.166.252.37 (108.166.252.37) 258.342 ms *
17 108.166.252.33 (108.166.252.33) 269.805 ms * *
18 * * *
19 * * *
20 * * *
21 52.95.1.187 (52.95.1.187) 262.933 ms * *
22 * * *
23 * * *
24 15.230.134.109 (15.230.134.109) 272.669 ms * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

[root@centos ]# traceroute to ocsp.int-x3.letsencrypt.org (23.50.117.177), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.282 ms 0.227 ms 0.217 ms
2 103.123.16.3 (103.123.16.3) 11.222 ms * *
3 cyber.dmix.bdr1.cgk.as23951.net (202.152.153.216) 19.185 ms * *
4 * * *
5 * * *
6 * a23-50-117-177.deploy.static.akamaitechnologies.com (23.50.117.177) 9.035 ms 8.745 ms
[root@centos ]# traceroute to ocsp.int-x4.letsencrypt.org (23.50.117.184), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.320 ms 0.383 ms 0.196 ms
2 103.123.16.3 (103.123.16.3) 0.430 ms 0.427 ms 0.376 ms
3 cyber.dmix.bdr1.cgk.as23951.net (202.152.153.216) 8.589 ms 8.597 ms 8.618 ms
4 jktix.as23951.net (117.20.51.56) 8.685 ms 8.726 ms 8.488 ms
5 119.11.184.37 (119.11.184.37) 98.022 ms 98.349 ms 98.356 ms
6 a23-50-117-184.deploy.static.akamaitechnologies.com (23.50.117.184) 8.506 ms 8.696 ms 8.798 ms
[root@centos ]# traceroute to ocsp.root-x1.letsencrypt.org (23.50.117.184), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.333 ms 0.252 ms 0.238 ms
2 103.123.16.3 (103.123.16.3) 0.422 ms 0.322 ms 0.329 ms
3 cyber.dmix.bdr1.cgk.as23951.net (202.152.153.216) 8.707 ms 8.873 ms 8.881 ms
4 jktix.as23951.net (117.20.51.56) 8.882 ms 8.851 ms 8.823 ms
5 * 119.11.184.37 (119.11.184.37) 34.358 ms *
6 a23-50-117-184.deploy.static.akamaitechnologies.com (23.50.117.184) 8.614 ms 12.110 ms 12.045 ms
[root@centos ]# traceroute to ocsp.staging-x1.letsencrypt.org (23.50.117.184), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.371 ms 0.276 ms 0.237 ms
2 103.123.16.3 (103.123.16.3) 0.434 ms 0.380 ms 0.340 ms
3 cyber.dmix.bdr1.cgk.as23951.net (202.152.153.216) 9.412 ms 9.196 ms 9.391 ms
4 jktix.as23951.net (117.20.51.56) 9.397 ms 9.438 ms 9.450 ms
5 * * *
6 a23-50-117-184.deploy.static.akamaitechnologies.com (23.50.117.184) 9.121 ms 18.895 ms *
[root@centos ]# traceroute to r3.o.lencr.org (23.50.117.168), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.350 ms 0.264 ms 0.222 ms
2 103.123.16.3 (103.123.16.3) 0.482 ms 0.398 ms 0.368 ms
3 cyber.dmix.bdr1.cgk.as23951.net (202.152.153.216) 8.612 ms 8.728 ms 8.723 ms
4 jktix.as23951.net (117.20.51.56) 8.743 ms 8.849 ms 8.711 ms
5 119.11.184.37 (119.11.184.37) 145.097 ms 145.344 ms 145.228 ms
6 a23-50-117-168.deploy.static.akamaitechnologies.com (23.50.117.168) 9.658 ms 16.415 ms 16.423 ms
[root@centos ]# traceroute to r4.o.lencr.org (23.50.117.168), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.335 ms 0.280 ms 0.233 ms
2 103.123.16.3 (103.123.16.3) 0.427 ms 0.355 ms 0.341 ms
3 cyber.dmix.bdr1.cgk.as23951.net (202.152.153.216) 8.593 ms 8.635 ms 8.647 ms
4 jktix.as23951.net (117.20.51.56) 8.630 ms 8.642 ms 8.675 ms
5 * 119.11.184.37 (119.11.184.37) 39.262 ms 38.917 ms
6 a23-50-117-168.deploy.static.akamaitechnologies.com (23.50.117.168) 12.455 ms 13.165 ms 13.202 ms
[root@centos ]# traceroute to sapling.ct.letsencrypt.org (3.13.165.167), 30 hops max, 60 byte packets
1 gateway (103.123.16.137) 0.410 ms 0.311 ms 0.228 ms
2 103.123.16.1 (103.123.16.1) 8.879 ms 8.810 ms 8.754 ms
3 * 202.65.112.1 (202.65.112.1) 8.901 ms *
4 * * *
5 * * *
6 * 180.240.192.89 (180.240.192.89) 249.162 ms 180.240.192.229 (180.240.192.229) 251.568 ms
7 180.240.192.89 (180.240.192.89) 248.789 ms equinix02-iad2.amazon.com (206.126.236.35) 305.236 ms 180.240.192.89 (180.240.192.89) 255.433 ms
8 equinix02-iad2.amazon.com (206.126.236.35) 301.147 ms 300.983 ms 301.113 ms
9 * * *
10 * * 52.95.2.182 (52.95.2.182) 266.475 ms
11 * * 52.95.1.221 (52.95.1.221) 265.844 ms
12 * * *
13 52.95.0.251 (52.95.0.251) 264.316 ms 52.95.3.3 (52.95.3.3) 259.708 ms 52.95.2.20 (52.95.2.20) 265.913 ms
14 * 15.230.140.88 (15.230.140.88) 261.580 ms *
15 * 52.93.135.152 (52.93.135.152) 258.771 ms *
16 * * *
17 * * *
18 108.166.252.35 (108.166.252.35) 258.915 ms 259.003 ms *
19 * * *
20 * * *
21 * * *
22 * * *
23 52.95.3.52 (52.95.3.52) 260.861 ms 52.95.2.16 (52.95.2.16) 254.453 ms 52.95.2.44 (52.95.2.44) 261.234 ms
24 * * *
25 108.166.252.38 (108.166.252.38) 252.459 ms * *
26 * * *
27 * * *
28 * * 108.166.252.35 (108.166.252.35) 258.136 ms
29 * * *
30 * * *

We are using 103.123.16.0/22 block IP it's clean and neutral detection by https://talosintelligence.com/reputation_center/lookup?search=103.123.16.0%2F22

also,
Nmap scan report for uplesk.citrahost.com (103.123.16.140)
Host is up (0.0023s latency).
Not shown: 984 filtered ports
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3000/tcp open ppp
3306/tcp open mysql
8443/tcp open https-alt

see attachments for traceroute details
acme-staging-v02.api.letsencrypt.org.txt (517 Bytes)
e1.o.lencr.org.txt (499 Bytes)
e2.o.lencr.org.txt (498 Bytes)
letsencrypt.org.txt (613 Bytes)
oak.ct.letsencrypt.org.txt (1.5 KB)
ocsp.int-x3.letsencrypt.org.txt (377 Bytes)
ocsp.int-x4.letsencrypt.org.txt (529 Bytes)
ocsp.root-x1.letsencrypt.org.txt (514 Bytes)
ocsp.staging-x1.letsencrypt.org.txt (469 Bytes)
r3.o.lencr.org.txt (521 Bytes)

Why do you think Let's Encrypt doesn't work? Your webserver log reports two requests from something that claims is the Let's Encrypt validation server.

I'm not sure if the overload of traceroutes is currently very helpful. My advice is to take one stap back and begin with the beginning: what were you initially doing and what was its result?

I see LetsDebug says the staging environment has an issue with getting the challenge: "103.123.16.140: Fetching http://uplesk.citrahost.com/.well-known/acme-challenge/GrwS6Eau632fF_obkwHyZVf1ZVVXQZCQjmn6Tra1BdE: Timeout during connect (likely firewall problem)"

However, I can connect to your server perfectly.

So it seems some connections from somewhere globally can and some can't. This sounds like some form of firewalling, perhaps geolocation blocking.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.