This issue was previously reported by SagePtr on GitHub.
This article in Russian describes the problem, in short:
Two IPs, 184.108.40.206 and 220.127.116.11, that host Let’s Encrypt website (letsencrypt.org) are in the Roscomnadzor Registry of forbidden resources. Roscomnadzor did not specifically target Let’s Encrypt, rather it banned a large number of IPs in connection with other websites and Let’s Encrypt just recently moved to these two APIs (after switching hosting from Akamai Technologies, Inc. to Digital Ocean, LLC). Authors note that so far the ban affects only the website, but warns that if Let’s Encrypt certificate issuance APIs move too, they might become unavailable.
I’m not affiliated with Let’s Encrypt in any way, but as far as I know, Let’s Encrypt APIs are hosted in a co-location environment and should not change IPs so are not affected by the Russian Roscomnadzor roulette. Could someone knowledgeable confirm this?
Full article translation
Here is a full article translated to help Let’s Encrypt staff investigate the matter.
We are currently working with the Russian authorities in order to resolve this roadblock, and have contacted them several times over the last few months.
We have been using our corporate “network” of contacts in other companies, and when speaking to others, it seems like that they are taking an unusually long time to respond to our requests, even though we have made them through the correct channels. We will keep you updated as soon as we have information that seems reliable as to how and when this situation is going to be resolved.
We’ve begun exploring working with a Russia-local agency to see if they can help us “from the inside”. They advise that these blocks seem likely to be accidental, and are somehow leftover from the “Great Telegram Blockage of 2018” , though we moved nodes to new addresses and found that they too were blocked shortly afterwards, so there must be more to the story. We do use network providers that were affected by the block.
Finally we are considering trying to set up a CDN Point of Presence within Russia. We’ve received one referral to a hosting company but we’d be interested in introductions to other ones as we have some unique needs and will be shopping around - if you know of any to recommend, please share contact info here or via DM!
To the best of my knowledge, they only ban traffic TO a blocked resource. The author of the article is concerned that certbot might not be able to connect to Let’s Encrypt servers to request a challenge and (after challenge completion) to request a signed certificate.
Could you confirm that this would not be affected? Also, what information passing mechanism does certbot use that is not affected by the block?
As a side note, I wonder if IP bans could affect CT logs and OCSP (including stapling).
Yes, this is a collateral damage from Roskomnadzor IP bans. In this case, the IPs are not connected to Telegram blockage; instead, these IPs were blocked for allegedly hosting cryptocurrency casinos, some depressing poetry and something else.
Finally we are considering trying to set up a CDN Point of Presence within Russia.
Considering trying? Does not sound very definitive…
The content is in the raw un-processed form in the repo but much of it is Markdown that is fairly legible. In theory one could also install Hugo and host a mirror locally that could be accessed in a browser.
Yes, I see Yahoo and Comcast are also blocking DO’s IPs in addition to Russia blocking blocks of tens of thousands IP addresses. Their systems apparently think the IPs are sending spam due to the number of emails being sent, even though they are legitimate mailing lists. Too many within too short a period of time automatically triggers this.