Renewals that worked for several years now fails with failure reaching acme-v02.api.letsencrypt.org:443

trellus · November 18, 2023, 6:10pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.texascooking.com

I ran this command: C:\WinACME\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"

It produced this output:

Sat 11/18/2023 11:31:12.56

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.0.4.227 (RELEASE)
[INFO] IIS version 7.5
[INFO] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

[INFO] Renewing certificate for [IISSite] Texas Cooking Sawyer (New Site)
[EROR] SocketException: A connection attempt failed because the connected party
did not properly respond after a period of time, or established connection fail
ed because connected host has failed to respond 172.65.32.248:443
[EROR] Renewal for [IISSite] Texas Cooking Sawyer (New Site) failed, will retry
on next run
[INFO] Sending e-mail with subject Error processing certificate renewal to ops@
texascooking.com

My web server is (include version): IIS 7.5

The operating system my web server runs on is (include version): Windows Server 2008 R2

My hosting provider, if applicable, is: GigeNET

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Windows ACMEv2 2.0.4.227

I also receive "request timed out" when pinging acme-v02.api.letsencrypt.org from the server, but receive responses just fine when pinging it from my own computer directly, so there seems to definitely be some kind of block of the IP or something.

MikeMcQ · November 18, 2023, 8:08pm

That is very old. Are you sure it supports tls 1.2?

trellus · November 18, 2023, 9:02pm

Yes, it is quite old -- but this same configuration has worked for years, including just a few months ago - what would have changed? I can't even PING it, so I don't think it has anything to do with TLS, since it never even gets that far.

Osiris · November 18, 2023, 9:24pm

Might be as simple as incorrect routing of the private IPv4 space 172.16.0.0/12. We've seen multiple times where network operators would have their local IPv4 space incorrectly configured (e.g. use 172.0.0.0/8 as local IP space).

You should do some traceroutes to see where the block is.

trellus · November 18, 2023, 9:29pm

It's far more basic than that - I had already done a trace route and just like the ping, it is a total failure -- the trace route never gets ANYWHERE, so it's not being blocked "somewhere", it is just flat out failing. On the other hand, there is no problem at all running trace routes or pings from my computer.

 [INFO] Please report issues at https://github.com/PKISharp/win-acme

 [INFO] Renewing certificate for [IISSite] Texas Cooking Sawyer (New Site)
 [EROR] SocketException: A connection attempt failed because the connected party
 did not properly respond after a period of time, or established connection failed 
 because connected host has failed to respond 172.65.32.248:443
 [EROR] Renewal for [IISSite] Texas Cooking Sawyer (New Site) failed, will retry
 on next run
 [INFO] Sending e-mail with subject Error processing certificate renewal to ops@
texascooking.com

C:\WinACME>ping acme-v02.api.letsencrypt.org

Pinging ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com [172.65.32.248] with 3
2 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.65.32.248:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\WinACME>tracert acme-v02.api.letsencrypt.org

Tracing route to ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com [172.65.32.24
8]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *     ^C```

petercooperjr · November 18, 2023, 9:34pm

So then it does sounds like your computer doesn't know how to contact the IP. Can it get to (or ping) other servers (Google, Cloudflare, etc.)? Can you look at the routing table? I'm not completely sure of the command on that particular version of Windows, but maybe route print and/or netsh int ipv4 show route?

trellus · November 18, 2023, 9:35pm

I don't think that's it -- according to the linked API Announcement, I would get a specific error message, and I don't get that, I get a timeout connecting, just as I would expect given that even PINGS and TRACEROUTEs fail.

Instead, what I get is a timeout on that server, whereas on my computer I get a nice message served up by the web server.

trellus · November 18, 2023, 9:40pm

Here is what route print outputs:

===========================================================================
Interface List
 20...ba 5a f7 ef 52 65 ......Realtek RTL8139C+ Fast Ethernet NIC #3
 19...e0 65 0a 3c 65 6b ......Realtek RTL8139C+ Fast Ethernet NIC #2
 18...d0 6b 42 37 52 0b ......Realtek RTL8139C+ Fast Ethernet NIC
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 11...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
 10...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       66.55.82.1      66.55.82.11    276
          0.0.0.0          0.0.0.0      10.60.101.1    10.60.101.191     20
         10.0.0.0        255.0.0.0      10.60.101.1    10.60.101.191     21
      10.60.101.0    255.255.255.0         On-link     10.60.101.191    276
    10.60.101.191  255.255.255.255         On-link     10.60.101.191    276
    10.60.101.255  255.255.255.255         On-link     10.60.101.191    276
       66.55.82.0  255.255.255.128         On-link       66.55.82.11    276
      66.55.82.11  255.255.255.255         On-link       66.55.82.11    276
     66.55.82.127  255.255.255.255         On-link       66.55.82.11    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link   169.254.181.170    276
  169.254.181.170  255.255.255.255         On-link   169.254.181.170    276
  169.254.255.255  255.255.255.255         On-link   169.254.181.170    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       66.55.82.11    276
        224.0.0.0        240.0.0.0         On-link     10.60.101.191    276
        224.0.0.0        240.0.0.0         On-link   169.254.181.170    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       66.55.82.11    276
  255.255.255.255  255.255.255.255         On-link     10.60.101.191    276
  255.255.255.255  255.255.255.255         On-link   169.254.181.170    276
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
         10.0.0.0        255.0.0.0      10.60.101.1       1
          0.0.0.0          0.0.0.0       66.55.82.1  Default 
          0.0.0.0          0.0.0.0       66.55.82.1       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 10   1026 ::/0                     2002:c058:6301::1
 10   1040 ::/0                     2002:c058:6301::c058:6301
  1    306 ::1/128                  On-link
 18     28 2001:1850:1:0:107::/121  On-link
 10   1025 2002::/16                On-link
 10    281 2002:4237:520b::4237:520b/128
                                    On-link
 18    276 fe80::/64                On-link
 19    276 fe80::/64                On-link
 20    276 fe80::/64                On-link
 18    276 fe80::1d90:9b4a:2fc3:1681/128
                                    On-link
 19    276 fe80::44d1:4091:12db:8479/128
                                    On-link
 20    276 fe80::edf4:6b9a:ac0e:b5aa/128
                                    On-link
  1    306 ff00::/8                 On-link
 18    276 ff00::/8                 On-link
 19    276 ff00::/8                 On-link
 20    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

petercooperjr · November 18, 2023, 9:45pm

Just to add another mystery, if your server has working IPv6 access, why is it trying to connect to the Let's Encrypt API over IPv4?

trellus · November 18, 2023, 9:45pm

I have no idea. That's beyond my paygrade.

rg305 · November 18, 2023, 11:46pm

^^ That [combined with other facts given] is clearly a routing issue.

^^ That makes it look like this is a "new site" cert.
[either way - not part of the problem]

^^ This shows that your can't tracert to that IP.

What shows? "`tracert -d www.google.com`"

trellus:

===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
         10.0.0.0        255.0.0.0      10.60.101.1       1
          0.0.0.0          0.0.0.0       66.55.82.1  Default 
          0.0.0.0          0.0.0.0       66.55.82.1       1
===========================================================================

^^ This shows the routing problem is somewhere within/behind IP 66.55.82.1.
[no routing problem shown within your server]
It also shows the 0/0 route twice - which is a bit strange/unexpected, but not problematic.

system · December 18, 2023, 11:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renewal stuck on connecting to acme-v02.api.letsencrypt.org Help	7	2025	August 28, 2022
Unable to renew cert Help	1	576	January 1, 2021
Acme-v2 warning vs. acme-v1 Help	7	4195	March 21, 2020
Renewal is failing status 400 Help	2	1101	June 10, 2022
Certificate renewal failed for second-level domain Help	4	725	December 18, 2021

Renewals that worked for several years now fails with failure reaching acme-v02.api.letsencrypt.org:443

What shows? "tracert -d www.google.com"

Related topics

What shows? "`tracert -d www.google.com`"