I installed a new server which docker / traefik and challanged the wrong hostname which had no dns record.
Now I think my IP has been blocked. (traefik reports :Timeout during connect (likely firewall problem)).
Can you unblock the IP 167.86.109.80 please.
Regards
Welcome to the community @KardinalReusen
It is unlikely to get blocked from one failed attempt. What does this show:
curl -Iv https://acme-v02.api.letsencrypt.org/directory
2 Likes
curl -Iv https://acme-v02.api.letsencrypt.org/directory
* Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=acme-v01.api.letsencrypt.org
* start date: Dec 17 20:26:28 2021 GMT
* expire date: Mar 17 20:26:27 2022 GMT
* subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x559f3eb6d810)
> HEAD /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.80.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< server: nginx
server: nginx
< date: Tue, 04 Jan 2022 18:46:10 GMT
date: Tue, 04 Jan 2022 18:46:10 GMT
< content-type: application/json
content-type: application/json
< content-length: 658
content-length: 658
< cache-control: public, max-age=0, no-cache
cache-control: public, max-age=0, no-cache
< replay-nonce: 0101_yFOtmjndD12Z-pbRTswl50zxe9IaBphgqpEtPcRr9Q
replay-nonce: 0101_yFOtmjndD12Z-pbRTswl50zxe9IaBphgqpEtPcRr9Q
< x-frame-options: DENY
x-frame-options: DENY
< strict-transport-security: max-age=604800
strict-transport-security: max-age=604800
<
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
rg305
January 4, 2022, 6:51pm
4
Well... that shows your IP isn't being blocked.
3 Likes
That is good news. Thank you.
The traefic container reports
level=error msg="Unable to obtain ACME certificate for domains \"bully.fastreich.de\": unable to generate a certificate for the domains [bully.fastreich.de]: error: one or more domains had a problem:\n[bully.fastreich.de] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem)\n" providerName=mytlschallenge.acme routerName=traefik-dash@docker rule="Host(`bully.fastreich.de`)"
Can you help me with this error?
1 Like
Osiris
January 4, 2022, 7:00pm
6
The error shown in OP is a typical error reported by Boulder, so it had nothing to do with being blocked from the ACME API to begin with
@KardinalReusen It's probably the other way around: you're blocking the validation attempt by the Let's Encrypt validation server. From here I can connect to bully.fastreich.de
perfectly on port 80, so maybe you're blocking only certain IP ranges or perhaps a geographical blocklist.
2 Likes
It's a fresh debian 11 installation. I have not configured any blocking.
The issue isn't your IPv4 (167.86.109.80) blocking connections, it's that your IPv6 address (2a02:c207:3004:4324::1) isn't working.
On IPv4:
$ curl -4 -v http://bully.fastreich.de/.well-known/acme-challenge/le-forum-test
* Trying 167.86.109.80...
* TCP_NODELAY set
* Connected to bully.fastreich.de (167.86.109.80) port 80 (#0)
> GET /.well-known/acme-challenge/le-forum-test HTTP/1.1
> Host: bully.fastreich.de
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Tue, 04 Jan 2022 19:20:02 GMT
< Content-Length: 19
<
404 page not found
* Curl_http_done: called premature == 0
* Connection #0 to host bully.fastreich.de left intact
On IPv6:
$ curl -6 -v http://bully.fastreich.de/.well-known/acme-challenge/le-forum-test
* Trying 2a02:c207:3004:4324::1...
* TCP_NODELAY set
(And it just hangs never getting a response)
4 Likes
I think that is the problem. There is a problem bringing up the IPv6 address.
Thank you very much for your help.
2 Likes
Osiris
January 4, 2022, 8:33pm
10
@petercooperjr Good catch! My telnet
tries both IPv6 and IPv4 at the same time and as IPv4 connected, I didn't check IPv6.
Strangely enough my telnet
doesn't have a -4
or -6
option.. Maybe I'll write a patch Edit: Uch, C.. My C is a little bit rusty..
2 Likes
rg305
Split this topic
January 7, 2022, 4:22pm
11
A post was split to a new topic: Is my IP blocked?
rg305
Split this topic
January 8, 2022, 4:05pm
12
A post was split to a new topic: Is my IP blocked?
system
Closed
February 7, 2022, 4:06pm
13
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.