Peerblock software

My domain is: bitcompany.it

I ran this command: Certificate renew

It produced this output: no renew

My web server is (include version): Windows Server 2019

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): plesk Obsidian last version

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello,
I have tried to answer all the questions (even the useless ones ...) my problem is that I have installed the peerblock software as a firewall (https://www.peerblock.com/) and it does not allow me to update the certificates. I tried to add all your IPs known to me in the withe list, but to no avail. Do you have any suggestions?
Thanks

I don't think your problem is with the firewall.

It looks like your IPv6 DNS address is not working right. When you have an AAAA record in your DNS the Let's Encrypt server will use that instead of any A record. You have both but connections using IPv6 fail. You can see this with the Let's Debug test site.

Your DNS:

nslookup bitcompany.it
Address: 82.165.254.63
Address: 2001:8d8:1800:195::1
2 Likes

ok, but the problem is that I use bitcompany.it only to give a site (since the module requires it) in reality on this server I have about 300 domains and they all have the same problem during the renewal, but if I "turn off" peerblock, the renewal works normally (also for bitcompany). I'm glad you did this check, but your answer doesn't solve my problem (now I check the IPV6, but it has nothing to do with peerblock, which I know for sure, being the cause of the non-renewal)
If you can go further with the help, I would appreciate it.

Maybe peerblock blocks all IPv6 connections? All I know is Let's Encrypt server will try to renew using IPv6 because you have an AAAA record. And, I cannot connect to your server using IPv6 and neither can the Let's Encrypt test site I already linked to.

Is that a valid IPv6 address for you? Try running this on your server and see if the IP returned matches what I showed above:

curl -6 http://ifconfig.co
2 Likes

I have no idea if peerblock intrudes on IPV6 addresses, the only thing I know is that if I turn it off the renewals go, if I leave it on no!

What does the output of this command show when you run it on your server?

3 Likes

As further info ... the Let's Encrypt server will make an HTTP request to your server to check your domain before issuing or renewing a cert. The HTTP request is a similar format to what I show below. Using curl -4 forces using IPv4 address and returns an http 404 response. This shows the connection worked and the 404 is expected because the file TestToken123 does not exist. But, if I try using curl -6 to use the IPv6 address the connection request times out. As I already explained, Let's Encrypt server will use the IPv6 address because you have an AAAA record in your DNS.

I am not familiar with your brand of firewall. But, I was asking to see your result of the curl -6 ifconfig.co command for several reasons. It would be helpful to know results.

Here are my sample requests to your server

curl -I4 bitcompany.it/.well-known/acme-challenge/TestToken123
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 4873
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
X-Powered-By: ARR/3.0
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Date: Fri, 24 Jun 2022 15:03:06 GMT

curl -I6 -m10 bitcompany.it/.well-known/acme-challenge/TestToken123
curl: (28) Failed to connect to bitcompany.it port 80 after 5000 ms: Connection timed out
3 Likes

2001:8d8:1800:195::2 (which is the other ip of the same server - the main one is 2001:8d8:1800:195::1

ok, if it gets that complicated i will just "turn off" peerblock when i have to do the renewals. Obviously if I turn it off the server responds normally ... now I try.

You could try removing the AAAA record from your DNS and see if that works.

I don't have any trouble using the IPv4 address and I don't see any reason Let's Encrypt renewal would fail with that.

3 Likes

with peerblock off:

C:\Users\Administrator>curl -6 http://ifconfig.co
2001:8d8:1800:195::2

C:\Users\Administrator>curl -4 http://ifconfig.co
82.165.254.63

Does that change with peerblock on?

3 Likes

yes. NOW:
C:\Users\Administrator>curl -6 http://ifconfig.co
2001:8d8:1800:195::1

try the test again, thanks

1 Like

That's interesting. I cannot reach either of those IPv6 addresses. You should try removing the AAAA record from your DNS. Then, either try a renew or use the Let's Debug test site. If the test site works your renewals should work.

Then, you can try to sort out what is wrong with IPv6 inbound connections. You may need to discuss with your ISP or peerblock. Once you think you have it fixed you can add the AAAA record back in and try the Let's Debug test site to check the connection.

3 Likes

for example, another domain on the same server (pmbcomunicazione.it) replies to me during the renewal attempt:

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/123210647826.

Details:

Type: urn:ietf:params:acme:error:connection

Status: 400

Detail: During secondary validation: 82.165.254.63: Fetching http://pmbcomunicazione.it/.well-known/acme-challenge/OYv6MwMatEh9jAeZkI258wz8DGJYxPMlC-xowER_RXo: Timeout during connect (likely firewall problem)

but if, as I said before, I turn off peerblock, it renews normally.

That is a different problem. And, the DNS for this domain only has an IPv4 A record. It does not have IPv6 AAAA record. You can see the IP address the Let's Encrypt server used in the error message (82.165.254.63).

Is peerblock off now? Because the Let's Debug test site worked fine for pmbcomunicazione just now and I can do sample tests too and they all work.

The error says "secondary validation". That might mean you have geographic based block in your firewall. The Let's Encrypt process will send up to 4 requests to your server from different parts of the world. All of these should work. The IP addresses can change at any time so your attempt to allow only some of them will not work.

You should see if you can allow any URL requests that contain /.well-known/acme-challenge/. That would allow the HTTP challenge requests to work from any IP Let's Encrypt might use.

3 Likes

ok, thank you for the moment. I see what I have to do on the server to find the problem, eventually I will contact you to see if I have solved it. Thanks again very much

2 Likes