Please check if IP 45.149.128.6 is blocked, please unblock

umid · December 18, 2021, 6:08pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
equhost.kz

I ran this command:
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
curl -I https://acme-v02.api.letsencrypt.org/directory
curl -6 ifconfig.co

It produced this output:
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
socket: Bad file descriptor
connect:errno=9

curl -I https://acme-v02.api.letsencrypt.org/directory
curl: (7) Failed to connect to 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable

curl -6 ifconfig.co
curl: (7) Failed to connect to 2606:4700:3036::ac43:85e4: Network is unreachable

My web server is (include version):
I run web panel ISPManager 6, it uses nginx (1.16.1) and apache (2.4.6)

The operating system my web server runs on is (include version):
CentOS7 (7.9.2009)

My hosting provider, if applicable, is:
i am hosting provider, provide shared hosting for clients. Only ipv4 is used on the server.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ISPManager 6 Host

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot is not installed in the system. Integration with Letsencrypt is provided via ISPManager 6 panel

I might be wrong, but have feeling that ip address of my web server is blocked in letsencrypt service. It started yesterday or day before yesterday.
If possible, could you please unblock my IP: 45.149.128.6

Thank you

bruncsak · December 18, 2021, 6:35pm

It looks like you are having general IPv6 connectivity issue. Could you post please the output of the curl -4 -I https://acme-v02.api.letsencrypt.org/directory command?

Osiris · December 18, 2021, 6:36pm

To me this sounds like your IPv6 is totallt broken. The site ifconfig.co is not related to Let's Encrypt ~~what so ever~~, so if that site doesn't work, it's probably a generic IPv6 issue on your site.

I suggest you do some traceroutes and see where the issue lies and try to fix it.

Edit: it seems both IP addresses from your post are from Cloudflare, so perhaps there is a connection there. However, I'm not sure if the LE DDoS protection would also block other sites?

Does your IPv6 work for other IPv6 sites, e.g. Google?

Also, if IPv6 is blocked, then just unblocking your IPv4 address probably isn't enough.

umid · December 18, 2021, 6:43pm

Here is the output:
curl -4 -I https://acme-v02.api.letsencrypt.org/directory
curl: (7) Failed connect to acme-v02.api.letsencrypt.org:443; Connection timed out

bruncsak · December 18, 2021, 6:45pm

Thanks. Is the command curl ifconfig.me working, at least?

umid · December 18, 2021, 6:46pm

I completely disabled ipv6 on my server, so it is not supposed to work. I ran this command "curl -6 [ifconfig.co]" just because in similar topic author was requested to run it.

My IP address 45.149.128.6 is not behind cloudflare, but it is behind ddos protection system (stormwall.pro), i dont know if that makes any sense.

umid · December 18, 2021, 6:47pm

yes it is working, here is the output:
curl ifconfig.me
45.149.128.6

umid · December 18, 2021, 7:21pm

i tried accessing from the server few web sites that are known to be behind cloudflare, and all of them gave me timeout error. Even the web site that is hosting on my server.
So now I start thinking that actually problem could be related to cloudflare blocking my web server IP address.

MikeMcQ · December 18, 2021, 7:25pm

What does this do?

curl -I4 https://acme-v02.api.letsencrypt.org/directory

It looks like your server tries connecting to IPv6 when the DNS for the target has one. The ifconfig.me only has IPv4 address in its DNS so that may be why it worked. The ifconfig.co site has both and is behind Cloudflare (I think). Explicitly using -4 will only use IPv4 and will eliminate LE as a blocker.

umid · December 18, 2021, 7:32pm

here is the output:
curl -I4 https://acme-v02.api.letsencrypt.org/directory
curl: (7) Failed connect to acme-v02.api.letsencrypt.org:443; Connection timed out

here is the same command with -v flag
curl -vI4 https://acme-v02.api.letsencrypt.org/directory

About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
Trying 172.65.32.248...
Connection timed out
Failed connect to acme-v02.api.letsencrypt.org:443; Connection timed out
Closing connection 0
curl: (7) Failed connect to acme-v02.api.letsencrypt.org:443; Connection timed out

If omit -4 flag, then it tries ipv4 addresses first, then switch to ipv6 addresses (which are not accessible from my server)

MikeMcQ · December 18, 2021, 7:52pm

That does not sound quite right if IPv6 is not present but this is getting beyond my network config skills. And, some curl versions prioritize IPv4/6 differently. It is probably worth confirming these versions. Are they the latest updates for Centos7?

curl --version
openssl version

Note that connection timeout is not what we have seen lately when an IP is blocked. I am not sure it is impossible.

umid · December 18, 2021, 7:56pm

curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

umid · December 18, 2021, 8:02pm

Yes, i would expect some other type of message when IP is blocked. But it looks like IP is blocked, and I am not sure if blocked by cloudflare or LE.
Actually, I have 2x /24 IP subnets and no IP from those subnets can access web sites behind cloudflare. So sure it is blocked by CF. But can't ways yet to contact their support and find out what needs to be done to unblock my IPs (or IP subnets, or even my ASN)

Osiris · December 18, 2021, 8:16pm

@lestaff I'm thinking LE isn't blocking this IP address, but could you check it just to be sure anyway?

JimPas · December 18, 2021, 8:41pm

I got this error:

Error: SOA.Primary Name Server not included in the delegation set.: equhost.kz.

X Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: equhost.kz (45.149.128.6): Delegation: ns1.equhost.kz, ns2.equhost.kz, Zone: ns1.equhost.kz, ns2.equhost.kz, ns3.equhost.kz. Name Servers defined in Zone, missing in Delegation: ns3.equhost.kz.
X Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns1.equhost.kz (45.149.128.20): Delegation: ns1.equhost.kz, ns2.equhost.kz, Zone: ns1.equhost.kz, ns2.equhost.kz, ns3.equhost.kz. Name Servers defined in Zone, missing in Delegation: ns3.equhost.kz.
X Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns2.equhost.kz (45.149.128.6): Delegation: ns1.equhost.kz, ns2.equhost.kz, Zone: ns1.equhost.kz, ns2.equhost.kz, ns3.equhost.kz. Name Servers defined in Zone, missing in Delegation: ns3.equhost.kz.
X Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns3.equhost.kz (45.149.128.6): Delegation: ns1.equhost.kz, ns2.equhost.kz, Zone: ns1.equhost.kz, ns2.equhost.kz, ns3.equhost.kz. Name Servers defined in Zone, missing in Delegation: ns3.equhost.kz.

You have a self-signed cert, but Firefox cannot retrieve it as it says "We were unable to find the certificate information, or the certificate is corrupted."

It appears the last LE cert expired back on 16 July, 2021.

4392097061
leaf cert CN=R3, O=Let's Encrypt, C=US 2021-04-17 18:31:20 2021-07-16 18:31:20 equhost.kz, mail.equhost.kz
2 entries
4392094087
leaf cert CN=R3, O=Let's Encrypt, C=US 2021-04-17 18:30:20 2021-07-16 18:30:20 equhost.kz
1 entries
4071113221
precert CN=R3, O=Let's Encrypt, C=US 2021-02-12 19:29:19 2021-05-13 18:29:19 equhost.kz
1 entries

rg305 · December 18, 2021, 9:42pm

Try:
curl -6 https://google.com/

umid · December 18, 2021, 10:26pm

here is it:

curl -6 https://google.com/
curl: (7) Failed to connect to 2a00:1450:4010:c08::65: Network is unreachable

umid · December 18, 2021, 10:40pm

Hi, thank you for mentioning this error, i missed that part. So mentioned IP was blocked?
I updated set of authoritative name servers for domain equhost.kz to ns1.equhost.kz and ns2.equhost.kz, hopefully changes will propagate soon.
Regarding cert, it is issued by LE and expiring on 28, dec 2021, not sure how old july cert popped up. The only self-signed cert for this domain was issued today for LE renewal, so not sure.
Taking into account changes for set of domain authoritative ns servers, will that lead to unblocking IP 45.149.128.6?

rg305 · December 19, 2021, 1:51am

Your IP seems to have outbound connectivity issues.
Fixing that may fix your cert renewal problem.

JimPas · December 19, 2021, 9:37pm

I see you obtained a new cert and your website is responding now.
Sun, 19 Dec 2021 20:31:19 GMT

Can you share the solution you found? It may help others in the future. Thank you.