UFW looks good.
Is there a "control panel" for that?
2 Likes
That one is failing on both servers. If I'm correct this is a google DNS. And in China most of google services are unreachable.
There's one, but I need to ask someone else for the access. Shouldn't take long though.
1 Like
Let me find a more public IP ...
2 Likes
Try:
curl -I https://ntp.org/
curl -I https://1.1.1.1/
curl -I https://9.9.9.9/
2 Likes
[12:16:39] ~ > curl -I https://ntp.org/
HTTP/1.1 200 OK
Date: Wed, 03 Aug 2022 04:27:37 GMT
Server: Apache
Content-Type: text/html
Strict-Transport-Security: max-age-16000000; includeSubDomains; preload;
[12:16:42] ~ > curl -I https://1.1.1.1/
HTTP/2 200
date: Wed, 03 Aug 2022 04:16:49 GMT
content-type: text/html
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2tHNyXcmD22dfgT2P8H4nnL22deHaBzm9mCYf7qYG%2FhtnDVqM%2Bmru79U%2Bsvf%2BOxyRhZDHGXuZorOz4tzh%2BStH7yhp5tzDGOiXn2oCUeRiuoNdUkOrPPWVMw%3D"}],"group":"cf-nel","max_age":604800}
nel: {"report_to":"cf-nel","max_age":604800}
last-modified: Fri, 13 May 2022 17:37:30 GMT
x-rgw-object-type: Normal
x-amz-request-id: tx000005b7988c8a221c987-0062e9f669-ab5f353-default
strict-transport-security: max-age=31536000
served-in-seconds: 0.003
cache-control: public, max-age=14400
cf-cache-status: HIT
age: 72
expires: Wed, 03 Aug 2022 08:16:49 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: __cf_bm=mdaWKaeECVwstdQIB3hYHu7YlzfsBR1lWfVVD.ta.DE-1659500209-0-AdPtPlywGHn2FboJE7SqZFpRsdp4FF/UAiPPhiq4GfCfma3gvlGqYJkXFN8HYgMj+rXnlhJjju7Dza5ldJzmiVo=; path=/; expires=Wed, 03-Aug-22 04:46:49 GMT; domain=.every1dns.com; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 734c3d779f6f9695-SJC
[12:16:49] ~ > curl -I https://9.9.9.9/
HTTP/2 404
server: h2o/dnsdist
date: Wed, 03 Aug 2022 04:16:54 GMT
content-type: text/plain; charset=utf-8
content-length: 9
OK, so outbound HTTPS isn't broken.
It's just NOT liking the IP destination: 172.65.32.248
Please confirm the external IP used, with:
curl -4 ifconfig.co
Which should match:
Please aslo show:
netstat -nr
2 Likes
Sure:
[12:16:54] ~ > curl -4 ifconfig.co
118.31.173.12
[12:24:46] ~ > netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.16.63.253 0.0.0.0 UG 0 0 0 eth0
172.16.48.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
172.16.63.253 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-aadddda641e6
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-fcc2db479123
IP looks correct and NOT blocked.
Routing looks correct.
hmm...
There must be some other firewall in line.
2 Likes
I'll ask to check the provider settings. Will keep you updated if I find anything.
1 Like
We've checked the outgoing settings on both server and they are sensibly the same. The only difference being the location of the server, one is in Shanghai, the other in Hangzhou. We then asked their support but only got for answer that it's not on their side, and it's only a normal network issue.
For reference here's the original message from them:
您好,这边查看服务器ip172.65.32.248 属于海外地址,现在您使用的是大陆服务器,现在服务器无法访问,造成这种现象的原因是您通过大陆的网络访问您的服务器,中间会经过运营商国际路由节点,会受到到国际链路拥塞,以及运营商出境路由限制,导致网络链路不稳定或者异常,因此会出现您现在面临的这种现象。阿里云没有做拦截。
We currently have 60 SSL certificates / domain names on that server and all our certificates will expire in a matter of days / week or month for the most recents. Additionally, in addition to the renewal, we were suppose to deploy new apps on new domain names, so it becomes critical. Do you have any workaround, even temporary ?
You can try to obtain free certs from another CA.
You can try to proxy the outbound requests.
2 Likes
To obtain a free cert from another CA, try:
certbot --apache --server https://acme.zerossl.com/v2/DV90
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.