Need Help with Certificate Renewal Issue

Trade · July 14, 2024, 8:26pm

Hello,

I am encountering an issue with renewing my SSL certificates using Certbot on my EC2 instance running Ubuntu 22.04.

My domain is: admin-agg.mm.app-kfc.com (13.56.83.246)

I ran this command: sudo certbot --nginx

It produced this output: ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable

My web server is: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is: Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is: AWS EC2 instance

I can login to a root shell on my machine: yes

The version of my client is: certbot 2.11.0.

2024-07-14_15-26

MikeMcQ · July 14, 2024, 8:44pm

First, the Let's Encrypt ACME API only supports HTTPS. Your example curl was trying HTTP (and mistakenly included the name traceroute).

I think something may be set wrong in your EC2 Security Group. Check your permissions for port 443 - both inbound and outbound rules. I can't reach your domain using HTTPS not even to be told it had an expired cert. HTTP (port 80) works fine.

If you don't see anything wrong there, please show result of these

curl -4 https://acme-v02.api.letsencrypt.org/directory
curl -6 https://acme-v02.api.letsencrypt.org/directory
sudo traceroute -T -p443 acme-v02.api.letsencrypt.org

And also

curl -I https://google.com
curl https://cloudflare.com/cdn-cgi/trace

Trade · July 14, 2024, 9:33pm

Hello,

Thank you for your response. Yes, we also tried with HTTPS. I am sharing screenshots of each command:

MikeMcQ · July 14, 2024, 10:02pm

Thanks.

The IPv4 address for the LE API is 172.65.32.248 (today)

There is a range of private IP addresses that start with 172. But, that should only be for the range 172.16.0.0/12.

If you setup your local network (wrongly) to use, say, 172.0.0.0/8 that declares a wider range of IP addresses as private. Your local network won't then route requests for these extra IP to the public internet. The acme-v02 IP is between /8 and /12 so you won't be able to reach it.

I think that is what is happening here as shown by the traceroute never reaching even the public internet.

netstat -nr

ARIN Explanation: IPv4 Private Address Space and Filtering - American Registry for Internet Numbers

See AWS docs for Route Table Configuration

system · August 13, 2024, 10:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
The network is not available when trying to request a certificate Help	4	1218	September 4, 2022
I can't renew a certificate - Network is unreachable Help	25	2382	September 30, 2022
Certbot -d with error - IP Blocked? Help	9	1563	November 3, 2023
Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable Help	20	8861	June 12, 2022
Suddenly acme-challenge Invalid response Help	27	7904	June 25, 2020

Need Help with Certificate Renewal Issue

Related topics