Please unblock IP

I installed a new server which docker / traefik and challanged the wrong hostname which had no dns record.

Now I think my IP has been blocked. (traefik reports :Timeout during connect (likely firewall problem)).

Can you unblock the IP 167.86.109.80 please.

Regards

Welcome to the community @KardinalReusen

It is unlikely to get blocked from one failed attempt. What does this show:

curl -Iv https://acme-v02.api.letsencrypt.org/directory
2 Likes
curl -Iv https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v01.api.letsencrypt.org
*  start date: Dec 17 20:26:28 2021 GMT
*  expire date: Mar 17 20:26:27 2022 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x559f3eb6d810)
> HEAD /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.80.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
HTTP/2 200 
< server: nginx
server: nginx
< date: Tue, 04 Jan 2022 18:46:10 GMT
date: Tue, 04 Jan 2022 18:46:10 GMT
< content-type: application/json
content-type: application/json
< content-length: 658
content-length: 658
< cache-control: public, max-age=0, no-cache
cache-control: public, max-age=0, no-cache
< replay-nonce: 0101_yFOtmjndD12Z-pbRTswl50zxe9IaBphgqpEtPcRr9Q
replay-nonce: 0101_yFOtmjndD12Z-pbRTswl50zxe9IaBphgqpEtPcRr9Q
< x-frame-options: DENY
x-frame-options: DENY
< strict-transport-security: max-age=604800
strict-transport-security: max-age=604800

< 
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

Well... that shows your IP isn't being blocked.

3 Likes

That is good news. Thank you.

The traefic container reports

level=error msg="Unable to obtain ACME certificate for domains \"bully.fastreich.de\": unable to generate a certificate for the domains [bully.fastreich.de]: error: one or more domains had a problem:\n[bully.fastreich.de] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem)\n" providerName=mytlschallenge.acme routerName=traefik-dash@docker rule="Host(`bully.fastreich.de`)"

Can you help me with this error?

1 Like

The error shown in OP is a typical error reported by Boulder, so it had nothing to do with being blocked from the ACME API to begin with :wink:

@KardinalReusen It's probably the other way around: you're blocking the validation attempt by the Let's Encrypt validation server. From here I can connect to bully.fastreich.de perfectly on port 80, so maybe you're blocking only certain IP ranges or perhaps a geographical blocklist.

2 Likes

It's a fresh debian 11 installation. I have not configured any blocking.

The issue isn't your IPv4 (167.86.109.80) blocking connections, it's that your IPv6 address (2a02:c207:3004:4324::1) isn't working.

On IPv4:

$ curl -4 -v http://bully.fastreich.de/.well-known/acme-challenge/le-forum-test
*   Trying 167.86.109.80...
* TCP_NODELAY set
* Connected to bully.fastreich.de (167.86.109.80) port 80 (#0)
> GET /.well-known/acme-challenge/le-forum-test HTTP/1.1
> Host: bully.fastreich.de
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Tue, 04 Jan 2022 19:20:02 GMT
< Content-Length: 19
<
404 page not found
* Curl_http_done: called premature == 0
* Connection #0 to host bully.fastreich.de left intact

On IPv6:

$ curl -6 -v http://bully.fastreich.de/.well-known/acme-challenge/le-forum-test
*   Trying 2a02:c207:3004:4324::1...
* TCP_NODELAY set

(And it just hangs never getting a response)

4 Likes

I think that is the problem. There is a problem bringing up the IPv6 address.
Thank you very much for your help.

2 Likes

@petercooperjr Good catch! My telnet tries both IPv6 and IPv4 at the same time and as IPv4 connected, I didn't check IPv6.

Strangely enough my telnet doesn't have a -4 or -6 option.. Maybe I'll write a patch :stuck_out_tongue: Edit:Uch, C.. My C is a little bit rusty..

2 Likes

A post was split to a new topic: Is my IP blocked?

A post was split to a new topic: Is my IP blocked?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.