No route to host when requesting renewal

jhmjcm · December 10, 2022, 7:50pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: morgoth.jhmjcm.net

I ran this command: /usr/local/bin/certbot renew -q --post-hook "/usr/sbin/service dovecot restart"

It produced this output:

Attempting to renew cert (morgoth.jhmjcm.net) from /usr/local/etc/letsencrypt/renewal/morgoth.jhmjcm.net.conf produced an unexpected error: Requesting acme-v02.api.letsencrypt.org/directory: No route to host. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/morgoth.jhmjcm.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version): n/a (no web server on machine)

The operating system my web server runs on is (include version): FreeBSD 12.3-RELEASE-p9

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.5.0

Additional information:
angmar:~ jhm$ dig acme-v02.api.letsencrypt.org

; <<>> DiG 9.10.6 <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65393
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.	IN	A

;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 6525 IN	CNAME	prod.api.letsencrypt.org.
prod.api.letsencrypt.org. 3600	IN	CNAME	ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 3600	IN A 172.65.32.248

;; Query time: 85 msec
;; SERVER: 172.20.2.2#53(172.20.2.2)
;; WHEN: Sat Dec 10 14:36:00 EST 2022
;; MSG SIZE  rcvd: 155

angmar:~ jhm$ traceroute acme-v02.api.letsencrypt.org

traceroute to ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248), 64 hops max, 52 byte packets
 1  cerberus (172.20.2.1)  1.034 ms  0.333 ms  0.295 ms
 2  173-12-83-238-miami.hfc.comcastbusiness.net (173.12.83.238)  1.995 ms  2.145 ms  2.188 ms
 3  96.120.36.193 (96.120.36.193)  9.077 ms  10.686 ms  9.468 ms
 4  68.85.82.241 (68.85.82.241)  9.552 ms  10.631 ms  11.380 ms
 5  96.108.22.89 (96.108.22.89)  9.128 ms  12.929 ms  9.950 ms
 6  ae-13-ar02.stuart.fl.pompano.comcast.net (96.108.23.117)  11.292 ms  13.026 ms  10.510 ms
 7  68.85.127.53 (68.85.127.53)  10.854 ms  10.907 ms  13.816 ms
 8  be-40-ar01.northdade.fl.pompano.comcast.net (68.86.165.161)  14.111 ms  33.058 ms  15.058 ms
 9  96.110.5.141 (96.110.5.141)  15.678 ms  15.169 ms  14.996 ms
10  be-33811-cs01.miami.fl.ibone.comcast.net (96.110.45.65)  15.928 ms  15.799 ms
    be-33841-cs04.miami.fl.ibone.comcast.net (96.110.45.77)  15.486 ms
11  be-3412-pe12.nota.fl.ibone.comcast.net (96.110.33.174)  16.101 ms
    be-3311-pe11.nota.fl.ibone.comcast.net (96.110.33.154)  16.008 ms
    be-3411-pe11.nota.fl.ibone.comcast.net (96.110.33.158)  15.025 ms
12  50.208.234.222 (50.208.234.222)  17.384 ms  17.360 ms
    50.208.235.254 (50.208.235.254)  57.514 ms
13  108.162.211.12 (108.162.211.12)  32.616 ms
    172.70.52.2 (172.70.52.2)  15.509 ms
    172.70.52.4 (172.70.52.4)  19.552 ms
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
31  * * *
32  * * *
33  * * *
34  * * *
35  * * *
36  * * *
37  * * *
38  * * *
39  * * *
40  * * *
41  * * *
42  * * *
43  * * *
44  * * *
45  * * *
46  * * *
47  * * *
48  * * *
49  * * *
50  * * *
51  * * *
52  * * *
53  * * *
54  * * *
55  * * *
56  * * *
57  * * *
58  * * *
59  * * *
60  * * *
61  * * *
62  * * *
63  * * *
64  * * *
angmar:~ jhm$

My ISP is Comcast Business and the traceroute seems to go off into never-never land after leaving Comcast's internal network.

Has anyone had similar problems and, if so, how was it resolved?

Thanks in advance for any assistance!

Rip · December 11, 2022, 12:00am

Hello @jhmjcm and welcome to the community!
Lets start with the basics. I see the out put from your post. Here is what I see from Oregon USA...
We need to make a "route" available to the world....

nmap -p 22,80,443 173.12.83.237
Host is up (0.12s latency).

PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  closed   http
443/tcp filtered https

Not gonna work.

Let's open up port 80 and 443 so the tools can do their jobs!

rg305 · December 11, 2022, 1:07am

Well, howdy neighbor!
And welcome to the LE community forum

That could use an update.

Let's have a look at the routing table on that system:
netstat -nr

Also, does it have IPv6 enabled?

jhmjcm · December 20, 2022, 10:21pm

This is an update with the ultimate resolution to the issue.

As it turns out, the routing table on the ISP (Comcast Business) equipment (modem) was corrupted due to an intermittent hardware issue. Unfortunately, this is not exposed to the user on bridged equipment (as exists in my setup due to the static IP). After several rounds of testing, a failure was noticeable on Comcast's side and the equipment was replaced. This ended up resolving the issue.

Thanks to everyone who posted suggestions!

system · January 19, 2023, 10:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.