My IP band may be blocked? I cannot update

I tried to update but I couldn't connect lets encrypt.
I may think My IP band is blocked?
All servers in the same band cannot connect to lets encrypt.

Please help me!

My domain is: imxtoon.jp
IP is 121.78.230.86

I ran this command:
+++++++++++++++++++++++++++++++++++++++++++++
curl -v https://acme-v02.api.letsencrypt.org

curl -4 google.com
HTML>

301 Moved

301 Moved

The document has moved here.

curl -6 google.com
curl: (7) Failed to connect to 2404:6800:4004:825::200e: Network is unreachable

curl -4 ifconfig.co
121.78.230.86
+++++++++++++++++++++++++++++++++++++++++++++
It produced this output:

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ye

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

Hi @changkim, and welcome to the LE community forum :slight_smile:

Please show the outputs of:
netstat -nr
traceroute -T -p 443 172.65.32.248
traceroute -T -p 443 172.65.32.0
traceroute -T -p 443 172.65.0.0
traceroute -T -p 443 172.0.0.0
traceroute -T -p 443 1.1.1.1

3 Likes

Thank you for your reply.

Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 121.78.230.65 0.0.0.0 UG 0 0 0 eno1
121.78.230.64 0.0.0.0 255.255.255.224 U 0 0 0 eno1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eno1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp0s29f0u2
169.254.95.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s29f0u2

1 Like

Your server thinks that it has connectivity to the IPv6 Internet, but it doesn't. This isn't a Let's Encrypt issue specifically, it's just that your server needs to be able to talk to Let's Encrypt's servers in order to get a certificate (and probably to do other things).

You might be able to just remove the IPv6 configuration to have your system only try using IPv4, but it's be much better to see if you can fix your IPv6 routing so you can be on the current modern Internet.

5 Likes

I appreciate your advice. I will try right now.

What about these?

2 Likes

Is it also possible to "nix" IPV6 and use IPV4 in the interim? Not the best solution, but it might work in a pinch? ...
then you can sort out IPV6 and get on the

3 Likes

I'm still not working to connect to the letsencrypt

I tried to traceroute like this

traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 gateway (121.78.230.65) 1.423 ms 1.652 ms 2.024 ms
2 192.168.200.1 (192.168.200.1) 1.013 ms 1.109 ms 1.319 ms
3 203.246.170.101 (203.246.170.101) 0.480 ms 0.587 ms 0.579 ms
4 203.246.169.108 (203.246.169.108) 5.648 ms 203.246.169.107 (203.246.169.107) 0.999 ms 203.246.169.180 (203.246.169.180) 0.922 ms
5 * * *
6 * * *
7 * * *
8 218.145.42.206 (218.145.42.206) 43.934 ms 43.924 ms *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 34:40:b5:9e:62:a8 brd ff:ff:ff:ff:ff:ff
inet 121.78.230.86/27 brd 121.78.230.95 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::3640:b5ff:fe9e:62a8/64 scope link
valid_lft forever preferred_lft forever
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 34:40:b5:9e:62:aa brd ff:ff:ff:ff:ff:ff
4: enp0s29f0u2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 36:40:b5:97:62:ab brd ff:ff:ff:ff:ff:ff
inet 169.254.95.120/24 brd 169.254.95.255 scope global dynamic enp0s29f0u2
valid_lft 1066sec preferred_lft 1066sec
inet6 fe80::3440:b5ff:fe97:62ab/64 scope link
valid_lft forever preferred_lft forever

Using the online tool https://unboundtest.com/ and checking the DNS A and DNS AAAA Records I only presently find a DNS A Record.

IPv4 has a record
https://unboundtest.com/m/A/imxtoon.jp/OMXJNE3B

Query results for A imxtoon.jp

Response:
;; opcode: QUERY, status: NOERROR, id: 31172
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;imxtoon.jp.	IN	 A

;; ANSWER SECTION:
imxtoon.jp.	0	IN	A	121.78.230.86

----- Unbound logs -----
May 07 02:40:44 unbound[213865:0] notice: init module 0: validator
May 07 02:40:44 unbound[213865:0] notice: init module 1: iterator

And IPv6 no record
https://unboundtest.com/m/AAAA/imxtoon.jp/NN62IFEC

Query results for AAAA imxtoon.jp

Response:
;; opcode: QUERY, status: NOERROR, id: 23231
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;imxtoon.jp.	IN	 AAAA

;; AUTHORITY SECTION:
imxtoon.jp.	0	IN	SOA	ns1.anysecure.com. abuse.anysecure.com. 1660737318 10800 3600 604800 3600

----- Unbound logs -----
May 07 02:41:28 unbound[213879:0] notice: init module 0: validator
May 07 02:41:28 unbound[213879:0] notice: init module 1: iterator

And with the online tool Let's Debug yields these results for the HTTP-01 challenge https://letsdebug.net/imxtoon.jp/1470762 that are OK.

1 Like

thank you for your reply.
I'm checking logs according to your advice.

1 Like

I had a test with 2 servers in a different networks.

Not working update server had a same result like you, but good working update server in other network had a same result using the online tool https://unboundtest.com/.
so it'smay not this reason.

Query results for A brokore.com

IPv4 : https://unboundtest.com/m/A/brokore.com/OMVWSGQN
Response:
;; opcode: QUERY, status: NOERROR, id: 39693
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;brokore.com. IN A

;; ANSWER SECTION:
brokore.com. 0 IN A 125.141.142.112

IPv6: Query results for AAAA brokore.com

Response:
;; opcode: QUERY, status: NOERROR, id: 43063
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;brokore.com. IN AAAA

;; AUTHORITY SECTION:
brokore.com. 0 IN SOA ns1.anysecure.com. abuse.anysecure.com. 1616586645 10800 3600 604800 3600

Thank you for your attention.

1 Like

I had tried traceroute with your ip .

traceroute -T -p 443 172.65.32.248

traceroute to 172.65.32.248 (172.65.32.248), 30 hops max, 60 byte packets
 1  gateway (121.78.230.65)  1.926 ms  2.013 ms  2.008 ms
 2  192.168.200.1 (192.168.200.1)  18.929 ms  19.072 ms  19.219 ms
 3  203.246.170.101 (203.246.170.101)  0.626 ms  0.630 ms  0.680 ms
 4  203.246.169.107 (203.246.169.107)  1.238 ms 203.246.169.150 (203.246.169.150)  0.915 ms 203.246.169.180 (203.246.169.180)  0.962 ms
 5  * * *
 6  218.145.42.206 (218.145.42.206)  17.440 ms *  16.812 ms
 7  141.101.82.7 (141.101.82.7)  1.711 ms * *
 8  218.145.42.206 (218.145.42.206)  16.228 ms  1.707 ms *
 9  141.101.82.7 (141.101.82.7)  1.338 ms  1.303 ms  1.292 ms
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

traceroute -T -p 443 172.65.32.0

traceroute to 172.65.32.0 (172.65.32.0), 30 hops max, 60 byte packets
 1  gateway (121.78.230.65)  1.387 ms  1.525 ms  1.667 ms
 2  192.168.200.1 (192.168.200.1)  0.955 ms  1.028 ms  1.208 ms
 3  203.246.170.101 (203.246.170.101)  23.122 ms  23.121 ms  23.114 ms
 4  203.246.169.137 (203.246.169.137)  0.967 ms  0.952 ms 203.246.169.120 (203.246.169.120)  20.414 ms
 5  * * *
 6  * * 218.145.42.206 (218.145.42.206)  34.885 ms
 7  * * 141.101.82.7 (141.101.82.7)  1.051 ms
 8  218.145.42.206 (218.145.42.206)  3.200 ms  3.161 ms  12.107 ms
 9  * 141.101.82.7 (141.101.82.7)  1.569 ms *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

traceroute -T -p 443 172.65.0.0

traceroute to 172.65.0.0 (172.65.0.0), 30 hops max, 60 byte packets
 1  gateway (121.78.230.65)  1.638 ms  1.776 ms  1.922 ms
 2  192.168.200.1 (192.168.200.1)  0.976 ms  1.121 ms  1.297 ms
 3  203.246.170.101 (203.246.170.101)  0.473 ms  0.474 ms  0.602 ms
 4  203.246.169.137 (203.246.169.137)  0.925 ms 203.246.169.188 (203.246.169.188)  1.051 ms 203.246.169.107 (203.246.169.107)  0.899 ms
 5  * * *
 6  * * *
 7  * 141.101.82.7 (141.101.82.7)  12.282 ms *
 8  218.145.42.206 (218.145.42.206)  2.088 ms  2.001 ms  1.657 ms
 9  141.101.82.7 (141.101.82.7)  11.955 ms  11.383 ms  11.345 ms
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

traceroute -T -p 443 172.0.0.0

traceroute to 172.0.0.0 (172.0.0.0), 30 hops max, 60 byte packets
 1  gateway (121.78.230.65)  2.034 ms  2.147 ms  2.143 ms
 2  192.168.200.1 (192.168.200.1)  0.746 ms  0.862 ms  1.056 ms
 3  203.246.170.101 (203.246.170.101)  16.200 ms  16.198 ms  16.191 ms
 4  203.246.169.113 (203.246.169.113)  0.815 ms 203.246.169.144 (203.246.169.144)  0.865 ms 203.246.169.173 (203.246.169.173)  0.864 ms
 5  203.246.163.106 (203.246.163.106)  0.977 ms 203.246.163.98 (203.246.163.98)  1.062 ms 203.246.163.106 (203.246.163.106)  0.969 ms
 6  te0-2-1-2.ccr51.sel01.atlas.cogentco.com (154.18.20.1)  1.413 ms te0-2-0-2.ccr51.sel01.atlas.cogentco.com (154.18.20.33)  1.532 ms te0-2-1-2.ccr51.sel01.atlas.cogentco.com (154.18.20.1)  1.674 ms
 7  be3010.ccr71.tyo01.atlas.cogentco.com (154.54.89.197)  30.896 ms  31.090 ms  31.060 ms
 8  be3929.ccr72.tyo01.atlas.cogentco.com (154.54.83.190)  30.865 ms  30.842 ms  30.934 ms
 9  be3696.ccr41.sjc03.atlas.cogentco.com (154.54.86.137)  136.901 ms  136.848 ms  138.471 ms
10  192.205.32.89 (192.205.32.89)  140.764 ms  140.709 ms  140.666 ms
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  32.130.18.59 (32.130.18.59)  193.023 ms  192.923 ms  193.602 ms
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

traceroute -T -p 443 1.1.1.1

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  gateway (121.78.230.65)  1.669 ms  1.788 ms  1.999 ms
 2  192.168.200.1 (192.168.200.1)  2.241 ms  2.421 ms  2.546 ms
 3  203.246.170.101 (203.246.170.101)  0.683 ms  0.686 ms  0.682 ms
 4  203.246.169.107 (203.246.169.107)  1.133 ms 203.246.169.137 (203.246.169.137)  1.110 ms 203.246.169.138 (203.246.169.138)  1.109 ms
 5  121.78.30.70 (121.78.30.70)  1.684 ms 121.78.63.102 (121.78.63.102)  11.266 ms 121.78.30.70 (121.78.30.70)  1.998 ms
 6  141.101.82.7 (141.101.82.7)  1.373 ms 141.101.82.9 (141.101.82.9)  1.621 ms *
 7  one.one.one.one (1.1.1.1)  0.758 ms  0.836 ms  0.872 ms

Well..
It's NOT a local/nearby routing problem.

But something is stopping IPv4 connections:

3 Likes

thank you for your reply. ye, I think so....

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.