My ip is apparently blocked 86.111.12.92

My ip is apparently blocked 86.111.12.92

root@ucs:~# curl -v https://acme-v02.api.letsencrypt.org/directory

• Trying 172.65.32.248...
• TCP_NODELAY set
• Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
• TCP_NODELAY set
• Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
• Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
• TCP_NODELAY set
• Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
• Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
• TCP_NODELAY set
• Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
• connect to 172.65.32.248 port 443 failed: No route to host
• Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
• TCP_NODELAY set
• Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
• Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
• TCP_NODELAY set
• Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
• Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host
• Closing connection 0
  curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host
  root@ucs:~# curl -Iv https://google.com/
• Trying 173.194.220.102...
• TCP_NODELAY set
• Connected to google.com (173.194.220.102) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
• TLSv1.2 (OUT), TLS header, Certificate Status (22):
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Client hello (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS change cipher, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
• ALPN, server accepted to use h2
• Server certificate:
• subject: CN=*.google.com
• start date: Mar 10 08:36:06 2025 GMT
• expire date: Jun 2 08:36:05 2025 GMT
• subjectAltName: host "google.com" matched cert's "google.com"
• issuer: C=US; O=Google Trust Services; CN=WE2
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• Using Stream ID: 1 (easy handle 0x5564b14b1e00)

HEAD / HTTP/1.1
Host: google.com
User-Agent: curl/7.52.1
Accept: /

• Connection state changed (MAX_CONCURRENT_STREAMS updated)!
  < HTTP/2 301
  HTTP/2 301
  < location: https://www.google.com/
  location: https://www.google.com/
  < content-type: text/html; charset=UTF-8
  content-type: text/html; charset=UTF-8
  < content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-mLT2f6CozvfeY79TClJsIA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
  content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-mLT2f6CozvfeY79TClJsIA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
  < date: Sun, 30 Mar 2025 06:17:10 GMT
  date: Sun, 30 Mar 2025 06:17:10 GMT
  < expires: Tue, 29 Apr 2025 06:17:10 GMT
  expires: Tue, 29 Apr 2025 06:17:10 GMT
  < cache-control: public, max-age=2592000
  cache-control: public, max-age=2592000
  < server: gws
  server: gws
  < content-length: 220
  content-length: 220
  < x-xss-protection: 0
  x-xss-protection: 0
  < x-frame-options: SAMEORIGIN
  x-frame-options: SAMEORIGIN
  < alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

<

• Curl_http_done: called premature == 0
• Connection #0 to host google.com left intact

86.111.12.92 is an IPv4 address. The address above your host is trying to connect to is an IPv6 address.

Apparently your host thinks it's able to use the IPv6 protocol, but clearly it can't.

Not sure why your curl suddenly tries IPv4 for google.com though. But you either need to fix your IPv6 or disable it.

You may want to add the -4 flag to the curl command to make the failure more visible.

root@ucs:~# curl -v -4 https://acme-v02.api.letsencrypt.org/directory

• Trying 172.65.32.248...
• TCP_NODELAY set
• connect to 172.65.32.248 port 443 failed: No route to host
• Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host
• Closing connection 0
  curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: No route to host
  root@ucs:~#

What do the following commands output?

traceroute -4 acme-v02.api.letsencrypt.org
traceroute -6 acme-v02.api.letsencrypt.org
sudo traceroute -4 -T -p 443 acme-v02.api.letsencrypt.org
sudo traceroute -6 -T -p 443 acme-v02.api.letsencrypt.org
ip -4 route list
ip -6 route list

root@ucs:~# traceroute -4 acme-v02.api.letsencrypt.org
-bash: traceroute: command not found
root@ucs:~# traceroute -6 acme-v02.api.letsencrypt.org
-bash: traceroute: command not found
root@ucs:~# sudo traceroute -4 -T -p 443 acme-v02.api.letsencrypt.org
sudo: traceroute: command not found
root@ucs:~# sudo traceroute -6 -T -p 443 acme-v02.api.letsencrypt.org
sudo: traceroute: command not found
root@ucs:~# ip -4 route list
default via 192.168.8.1 dev eth0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.42.1
192.168.8.0/24 dev eth0 proto kernel scope link src 192.168.8.48
root@ucs:~# ip -6 route list
root@ucs:~#

A Linux system without traceroute installed? That's weird..

root@ucs:~# traceroute -4 -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 192.168.8.1 (192.168.8.1) 0.847 ms 0.833 ms 0.874 ms
2 192.168.8.1 (192.168.8.1) 3144.160 ms !H 3144.182 ms !H 3144.290 ms !H
root@ucs:~#
root@ucs:~# traceroute -6 -T -p 443 acme-v02.api.letsencrypt.org

connect: Cannot assign requested address

You can see your own router is sending the Network is unreachable messages (by the !H notification). So it's not some Cloudflare/Let's Encrypt blockage.

You should check your router settings as to why it would block access to 172.65.32.248. This is often caused by an incorrect setting of the 172.16.0.0/12 private address space. Notice the /12. Sometimes the entire 172.0.0.0/8 ranges gets routed as 'private', which would obviously block access to IP addresses within the public IP address space within the 172.0.0.0/8 range.

root@ucs:~# curl -v https://acme-v02.api.letsencrypt.org/directory

• Trying 172.65.32.248...
• TCP_NODELAY set
• Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
• TLSv1.2 (OUT), TLS header, Certificate Status (22):
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS header, Unknown (21):
• TLSv1.2 (IN), TLS alert, Server hello (2):
• error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failu re
• Curl_http_done: called premature == 1
• stopped the pause stream!
• Closing connection 0
  curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handsh ake failure
  I connected another provider and got this.

It turns out that it is blocked, how do I unlock it? I need it from this IP.

How have you made that determination? So far you have only shown that you (or one of your ISPs ) have a routing issue with traffic bound for 172.65.32.248.

No, it turns out that your router doesn't know how to route to that address--which is what you were previously told. That's a you (or your provider) problem, not a Let's Encrypt problem. If it works with one provider and not another, it seems pretty obvious that the problem is with the one provider.

"My IP is blocked" is never the conclusion you should jump to, as it's exceedingly rare for it to happen. And "no route to host" pretty much definitively shows that that isn't what's going on..

Your problem is likely related to this docker routing.

As noted by my fellow volunteers your problem is with your own local network routing. Let's Encrypt doesn't have those old IP blocks anymore. And, even when they did the error was different than you see.

How can I make sure it's a provider? It's just that the provider says that he has no locks on this site. I completely reinstalled the system, the same thing.

Check the plank in your own eye before asking your ISP if they have a speck in their eye.

You should use a TCP trace not ICMP

Network routings can be very difficult to locate. A different Certificate Authority may be your best option.

What do these show

curl https://api.buypass.com/acme/directory

curl -i --connect-to ::172.253.115.139:443 https://dv.acme-v02.api.pki.goog/directory

I have checked access from all devices, computer server phone. As soon as I log on to the network via Wi-Fi or wire, it is immediately blocked. I even went to the neighbors, they have the same provider, it works for them.

I'll try it within an hour. From the phone, the first link doesn't work, the second one does.