Problema de conexión / connection problem

Puedo leer las respuestas en Inglés: sí

Mi dominio es: mail.tsswireless.xyz

Ejecuté este comando: certbot --nginx -d mail.tsswireless.xyz

Produjo esta salida: Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Mi servidor web es: Dell Inc. OptiPlex 3010

El sistema operativo en el que se ejecuta mi servidor web es: AlmaLinux 9.1 (Lime Lynx)

Puedo iniciar una sesión en una shell root en mi servidor : sí

Estoy usando un panel de control para administrar mi sitio: no

La versión de mi cliente es: certbot 2.5.0

I can read the answers in English: yes

My domain is: mail.tsswireless.xyz

I ran this command: certbot --nginx -d mail.tsswireless.xyz

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is: Dell Inc. OptiPlex 3010

The operating system my web server is running on is: AlmaLinux 9.1 (Lime Lynx)

I can log in to a root shell on my server : yes

I am using a control panel to manage my site: no

My client version is: certbot 2.5.0

Hello @, welcome to the Let's Encrypt community. :slightly_smiling_face:

$ curl -Ii http://mail.tsswireless.xyz/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx/1.20.1
Date: Sun, 25 Jun 2023 00:49:04 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://mail.tsswireless.xyz/.well-known/acme-challenge/sometestfile
$ curl -Ii https://mail.tsswireless.xyz/.well-known/acme-challenge/sometestfile
HTTP/1.1 403 Forbidden
Server: nginx/1.20.1
Date: Sun, 25 Jun 2023 00:49:08 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

Your server is returning 403 Forbidden - HTTP | MDN
When it should be returning 404 Not Found - HTTP | MDN

You can find general nginx information you might find nginx documentation and https://forum.nginx.org/ .

Port 443 certificate is fine https://decoder.link/sslchecker/mail.tsswireless.xyz/443
Edit using this certificate crt.sh | 9453340096

Port 465 certificate has expired https://decoder.link/sslchecker/mail.tsswireless.xyz/465
Edit using this certificate crt.sh | 8953137307

Also please attach the

1 Like

My letsencrypt.log

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1440, in run
le_client = _init_le_client(config, authenticator, installer)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 835, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 297, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
directory = acme_client.ClientV2.get_directory(config.server, net)
File "/usr/lib/python3.9/site-packages/acme/client.py", line 331, in get_directory
return messages.Directory.from_json(net.get(url).json())
File "/usr/lib/python3.9/site-packages/acme/client.py", line 706, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3.9/site-packages/acme/client.py", line 670, in _send_request
raise ValueError(f"Requesting {host}{path}:{err_msg}")
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
2023-06-24 19:22:17,612:ERROR:certbot._internal.log:An unexpected error occurred:
2023-06-24 19:22:17,612:ERROR:certbot._internal.log:ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable

There is also a Spanish specific subsection to Help, you may find that helpful to in letting the Let's Encrypt community volunteers to know to use something like google translate
image

1 Like

Share the output of

curl -4 acme-v02.api.letsencrypt.org

and also

curl -4 ifconfig.co
curl -6 ifconfig.co
curl -4 ifconfig.io
curl -6 ifconfig.io
1 Like

curl -4 acme-v02.api.letsencrypt.org : curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 80: There is no route to the `host'

curl -4 ifconfig.co: curl: (7) Failed to connect to ifconfig.co port 80: There is no route to the `host'
curl -6 ifconfig.co: curl: (7) Couldn't connect to server

I currently have disarmed in pv6

Your DNS Resolver is not configured correctly on that machine.

What do ifconfig -a and netstat -r -n show?

1 Like

I think this is more likely a network config problem affecting outbound connections. And, not so much DNS resolver. You could just try dig letsencrypt.org

@Bruce5051 Note HTTP connections to the Let's Encrypt ACME API endpoint always fail because it only supports HTTPS. Something to watch for as you continue to debug

curl -I http://acme-v02.api.letsencrypt.org/directory
curl: (56) Recv failure: Connection reset by peer

curl -I https://acme-v02.api.letsencrypt.org/directory
HTTP/2 200
server: nginx
3 Likes

Thanks @MikeMcQ! :slight_smile:

2 Likes

@JoseGR02 presently inbound ports 80, 443, and 465 are all being filtered and not OPEN.

$ nmap -Pn -p80,443,465 mail.tsswireless.xyz
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-25 02:48 UTC
Nmap scan report for mail.tsswireless.xyz (190.14.195.210)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https
465/tcp filtered smtps

Nmap done: 1 IP address (1 host up) scanned in 3.54 seconds
2 Likes

There is a newer version.

hmm...
If DNS was failing, then this:

Would have said something more like:
curl: (6) Could not resolve host: ...

So, I don't think DNS is the issue.
It's more like the outbound firewall rules are blocking it.

3 Likes

Yeah, @rg305 you and @MikeMcQ are correct! :beers:

2 Likes

Check if your router has a VPN installed and active. If yes, then temporarily turn it off and try again. If this works and you have the new ssl.conf files then turn the VPN back on.

Hello everyone, I managed to solve the first error of could not reach acme-v02.api.letsencrypt.org/directory due to a wrong configuration of public networks in my router.

As for the ports, they are filtered because I only have a public IP and certain router services, apart from those used by my server, are exposed to the Internet.

What does leave me in doubt that I have configured the letsencrypt certificates with my mail server but I don't know why the expired certificate appears on port 587, I don't know if this is any configuration; I currently use potfix + dovecot

If you copied the certificates from /etc/letsencrypt/live into some other location, you have to repeat that on every renewal, as the content of the certificate and key will change every time. You can script that with the --deploy-hook option.

4 Likes

After a long reading of documentation in forums I found the causes of my connection problems and then everything shared in this thread helped me to solve the problem thanks to everyone

1 Like

It would be great if you could describe the solution.
So that others, in the same situation, could use that same solution to solve their problem.

4 Likes

To solve the issue of port filtering in a mikrotik router I suggest the following video Cómo abrir el puerto en el enrutador Mikrotik - YouTube

Resultado:

For a correct configuration of ssl certificates with postfix

Main.cf(postfix):
image

10-ssl.conf(Dovecot):

and as advice, never use public IP ranges as an internal network

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.