LetsEncrypt Temp Ban

Hello,

This might not be able to be answered by the community but let's find out :slight_smile:

How would I be able to tell if my server got a temp ban from LetsEncrypt? I tried to ping r3.o.lencr.org but it just doesn't respond from one of my IP addresses.

Looking forward to your reply,

Aydan

Hi @Aydan-MTH, and welcome to the LE community forum :slight_smile:

You've come to the right place - it's just not normal working hours right now...
While we wait for someone to check on your IP.
#1 Please provide the IP address in question.
#2 Try:
curl -Ii http://r3.o.lencr.org
If that fails to return "200", then show:
traceroute -T -p 80 r3.o.lencr.org

5 Likes

Hey there,

Is it advised to send my IP to a public forum?

Aydan

If the IP is between 1.0.0.0 and 223.255.255.255 [excluding non-routable IPs], it is already known and scanned by all the bad bots.

Putting an IP here wouldn't change those plans.

4 Likes

Hello,

You make a very good point!

[IP removed - not required]

Love the internet :frowning: not.

Aydan

1 Like

Show us this output:

Sorry, that had a TYPO :frowning:
o not 0

3 Likes

Sure thing,

it seems to now be resolving...

You did "o" :slight_smile:
That IP isn't blocked; It reached the site via port 80.
Please show why you think it is being blocked.
So, the name wouldn't even resolve to an IP?

3 Likes

It said the following before:

root@edge-live:~# ping r3.o.lencr.org
ping: r3.o.lencr.org: Temporary failure in name resolution

and gave us the following error when we tried to restart NGINX becuase it couldn't reach LetsEncrypt:

That is a DNS issue [and a "temporary" one].
You might look for more resilient DNS service/configuration.
I'm pretty sure that issue was caused by systems very close to your server.

What shows?:
cat /etc/resolv.conf

4 Likes

it's set to googles nameservers.
nameserver 8.8.8.8
nameserver 8.8.4.4

I tried to ping all the known LetsEncrypt Domains and they all failed. I also tried to curl them.

We refreshed the DNS Cache and could ping other domains just not LetsEncypt.

Well that is bizarre.
I suppose you could mix it up - not just Google DNSes.
I'd also pick one from:
1.0.0.1, 1.1.1.1, 4.2.2.2-4.2.2.6, 9.9.9.9

3 Likes

It is very bizarre, hence why I only assumed it would be a temp ban :frowning:

We will get the other DNS servers added :slight_smile: Never heard of 4.2.2.2-6, what provider is that?

Guessing the LetsEncrypt team has a log of temp-banned IPs?

DNS is "relayed".
The authoritative zone never sees/hears your IP directly.
It can't ban you from resolving DNS.
Especially when the TTL is longer than a few seconds.
Those IPS are resolved and cached by such global DNS systems.

4 Likes

But it would prevent it from pinging no?

It would stop a banned IP form PING, HTTP, etc.
But not possible to stop it from DNS.
Notice the response from Google DNS [as is with all such recursive DNS systems]:

nslookup r3.o.lencr.org 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:

Name:      a1887.dscq.akamai.net
Addresses: 2600:1403:c400:a::17db:9b97
           2600:1403:c400:a::17db:9baf
           23.219.155.48
           23.219.155.20
Aliases:   r3.o.lencr.org
           o.lencr.edgesuite.net

[zoomed and bold for emphasis]

You ask Google DNS, it goes and gets that answer, then it replies to you.

4 Likes

I never did an NSLOOKUP i just did a ping so that may be why it threw that error.

No.
In order to do anything with any name [on the Internet].
Step one is resolving that name to an IP.
The operating system can use nslookup or dig or any other method it chooses.
But the result is the same.
You can't ping example.com until you know where it is.
You can't browse example.com until you know where it is.

Siri, call Mom!
Calling Mom [dails a ###-###-#### not a name]

4 Likes

Hey,

So you don't think the IP was blocked?

Aydan

1 Like

What action you made to refresh the DNS cache?

4 Likes