Possible IP blocklist?

UFW looks good.

Is there a "control panel" for that?

2 Likes

That one is failing on both servers. If I'm correct this is a google DNS. And in China most of google services are unreachable.

There's one, but I need to ask someone else for the access. Shouldn't take long though.

1 Like

Let me find a more public IP ...

2 Likes

Try:
curl -I https://ntp.org/
curl -I https://1.1.1.1/
curl -I https://9.9.9.9/

2 Likes
[12:16:39] ~ > curl -I https://ntp.org/
HTTP/1.1 200 OK
Date: Wed, 03 Aug 2022 04:27:37 GMT
Server: Apache
Content-Type: text/html
Strict-Transport-Security: max-age-16000000; includeSubDomains; preload;

[12:16:42] ~ > curl -I https://1.1.1.1/
HTTP/2 200 
date: Wed, 03 Aug 2022 04:16:49 GMT
content-type: text/html
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2tHNyXcmD22dfgT2P8H4nnL22deHaBzm9mCYf7qYG%2FhtnDVqM%2Bmru79U%2Bsvf%2BOxyRhZDHGXuZorOz4tzh%2BStH7yhp5tzDGOiXn2oCUeRiuoNdUkOrPPWVMw%3D"}],"group":"cf-nel","max_age":604800}
nel: {"report_to":"cf-nel","max_age":604800}
last-modified: Fri, 13 May 2022 17:37:30 GMT
x-rgw-object-type: Normal
x-amz-request-id: tx000005b7988c8a221c987-0062e9f669-ab5f353-default
strict-transport-security: max-age=31536000
served-in-seconds: 0.003
cache-control: public, max-age=14400
cf-cache-status: HIT
age: 72
expires: Wed, 03 Aug 2022 08:16:49 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: __cf_bm=mdaWKaeECVwstdQIB3hYHu7YlzfsBR1lWfVVD.ta.DE-1659500209-0-AdPtPlywGHn2FboJE7SqZFpRsdp4FF/UAiPPhiq4GfCfma3gvlGqYJkXFN8HYgMj+rXnlhJjju7Dza5ldJzmiVo=; path=/; expires=Wed, 03-Aug-22 04:46:49 GMT; domain=.every1dns.com; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 734c3d779f6f9695-SJC

[12:16:49] ~ > curl -I https://9.9.9.9/
HTTP/2 404 
server: h2o/dnsdist
date: Wed, 03 Aug 2022 04:16:54 GMT
content-type: text/plain; charset=utf-8
content-length: 9

OK, so outbound HTTPS isn't broken.
It's just NOT liking the IP destination: 172.65.32.248

Please confirm the external IP used, with:
curl -4 ifconfig.co

Which should match:

Please aslo show:
netstat -nr

2 Likes

Sure:

[12:16:54] ~ > curl -4 ifconfig.co
118.31.173.12
[12:24:46] ~ > netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.16.63.253   0.0.0.0         UG        0 0          0 eth0
172.16.48.0     0.0.0.0         255.255.240.0   U         0 0          0 eth0
172.16.63.253   0.0.0.0         255.255.255.255 UH        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-aadddda641e6
172.19.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-fcc2db479123

IP looks correct and NOT blocked.

Routing looks correct.

hmm...

There must be some other firewall in line.

2 Likes

I'll ask to check the provider settings. Will keep you updated if I find anything.

1 Like

We've checked the outgoing settings on both server and they are sensibly the same. The only difference being the location of the server, one is in Shanghai, the other in Hangzhou. We then asked their support but only got for answer that it's not on their side, and it's only a normal network issue.

For reference here's the original message from them:
您好,这边查看服务器ip172.65.32.248 属于海外地址,现在您使用的是大陆服务器,现在服务器无法访问,造成这种现象的原因是您通过大陆的网络访问您的服务器,中间会经过运营商国际路由节点,会受到到国际链路拥塞,以及运营商出境路由限制,导致网络链路不稳定或者异常,因此会出现您现在面临的这种现象。阿里云没有做拦截。

We currently have 60 SSL certificates / domain names on that server and all our certificates will expire in a matter of days / week or month for the most recents. Additionally, in addition to the renewal, we were suppose to deploy new apps on new domain names, so it becomes critical. Do you have any workaround, even temporary ?

You can try to obtain free certs from another CA.
You can try to proxy the outbound requests.

2 Likes

To obtain a free cert from another CA, try:
certbot --apache --server https://acme.zerossl.com/v2/DV90

3 Likes