Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable

Makise · September 22, 2020, 12:47pm

I ran this command:

certbot-auto certonly -d tsm.asoco.com.cn --manual --preferred-challenges dns --manual-auth-hook "/root/downloads/au-hook/au.sh python aly add" --manual-cleanup-hook "/root/downloads/au-hook/au.sh python aly clean" --no-self-upgrade

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
An unexpected error occurred:
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Please see the logfiles in /var/log/letsencrypt for more details.

And here's the logfile:

2020-09-22 20:09:29,325:DEBUG:certbot._internal.main:certbot version: 1.7.0
2020-09-22 20:09:29,325:DEBUG:certbot._internal.main:Arguments: ['-d', 'tsm.asoco.com.cn', '--manual', '--preferred-challenges', 'dns', '--manual-auth-hook', '/root/downloads/au-hook/au.sh python aly add', '--manual-cleanup-hook', '/root/downloads/au-hook/au.sh python aly clean', '--no-self-upgrade']
2020-09-22 20:09:29,325:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-09-22 20:09:29,341:DEBUG:certbot._internal.log:Root logging level set at 20
2020-09-22 20:09:29,341:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-09-22 20:09:29,342:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2020-09-22 20:09:29,348:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot._internal.plugins.manual:Authenticator
Initialized: <certbot._internal.plugins.manual.Authenticator object at 0x7fa5cf03bbd0>
Prep: True
2020-09-22 20:09:29,348:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.manual.Authenticator object at 0x7fa5cf03bbd0> and installer None
2020-09-22 20:09:29,348:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator manual, Installer None
2020-09-22 20:09:29,352:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/44762826', new_authzr_uri=None, terms_of_service=None), 9ce34600edd53200bf5d195805d616aa, Meta(creation_host=u'localhost.localdomain', register_to_eff=None, creation_dt=datetime.datetime(2018, 10, 30, 7, 53, 45, tzinfo=)))>
2020-09-22 20:09:29,353:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-09-22 20:09:29,354:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2020-09-22 20:10:14,407:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in
sys.exit(main())
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py", line 1357, in main
return config.func(config, plugins)
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py", line 1220, in certonly
le_client = _init_le_client(config, auth, installer)
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py", line 610, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/client.py", line 256, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/client.py", line 43, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/acme/client.py", line 831, in init
directory = messages.Directory.from_json(net.get(server).json())
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/acme/client.py", line 1168, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/acme/client.py", line 1140, in _send_request
raise ValueError("Requesting {0}{1}:{2}".format(host, path, err_msg))
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
2020-09-22 20:10:14,408:ERROR:certbot._internal.log:An unexpected error occurred:
2020-09-22 20:10:14,409:ERROR:certbot._internal.log:ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable

The operating system my web server runs on is (include version):
CentOS Linux release 7.5.1804 (Core)

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.7.0

Ping acme-v02.api.letsencrypt.org is ok, but it's not work when I telnet acme-v02.api.letsencrypt.org port 80 or 443

[root@localhost ~]# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248: icmp_seq=1 ttl=47 time=205 ms
64 bytes from 172.65.32.248: icmp_seq=2 ttl=48 time=203 ms
64 bytes from 172.65.32.248: icmp_seq=3 ttl=47 time=206 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 11216ms
rtt min/avg/max/mdev = 203.120/205.277/206.953/1.684 ms
[root@localhost ~]#telnet -d acme-v02.api.letsencrypt.org 443
Trying 172.65.32.248...
telnet: connect to address 172.65.32.248: Connection timed out
[root@localhost ~]# traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 192.168.60.1 (192.168.60.1) 2.863 ms 2.877 ms 3.037 ms
2 192.168.23.1 (192.168.23.1) 5.562 ms 5.880 ms 6.155 ms
3 192.168.11.1 (192.168.11.1) 1.507 ms 1.526 ms 1.521 ms
4 111.3.68.225 (111.3.68.225) 8.822 ms 9.155 ms 9.718 ms
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
[root@localhost ~]#

rg305 · September 22, 2020, 2:27pm

That is the problem.
Which may be corrected within your firewall outbound allowed settings.

petercooperjr · September 22, 2020, 6:40pm

Just a completely wild guess, but is there any chance that your server has an IPv6 address (and so thinks it should be taking the IPv6 route to letsencrypt) but doesn't actually have working IPv6 connectivity? I wonder if something like that would give you a "Network is unreachable" message.

rg305 · September 22, 2020, 7:16pm

A good and logical possibility, but the post shows ping and telnet both failing while using an IPv4 address.

petercooperjr · September 22, 2020, 7:30pm

I thought it was showing ping working to the IPv4 address. Some systems have "ping" only use IPv4 and one needs to use "ping6" to test IPv6, though I don't know if the system here is one of them.

rg305 · September 22, 2020, 8:22pm

OK, I can see how that might still be the case with ping (good to know).
But I don't think there is a telnet6, so that would fail that test.

So they need to test outbound connections to port 443.

Makise · September 23, 2020, 1:23am

The server doesn't have a usable IPv6 address, fe80 should be local address?

[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 62:26:b2:b8:c4:83 brd ff:ff:ff:ff:ff:ff
inet 192.168.60.142/24 brd 192.168.60.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::6026:b2ff:feb8:c483/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# ping6 acme-v02.api.letsencrypt.org
connect: Network is unreachable
[root@localhost ~]# curl -v https://acme-v02.api.letsencrypt.org/directory
*About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
*Trying 172.65.32.248...
*Connection timed out
*Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
*Failed to connect to 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
*Failed connect to acme-v02.api.letsencrypt.org:443; Network is unreachable
*Closing connection 0
curl: (7) Failed to connect to 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable

And according to the output of curl, maybe the "Network is unreachable" of

ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable

is come from that?

But I still don't think it's due to IPv6, during the request of acme-v02.api.letsencrypt.org/directory, use IPv4 first?

rg305 · September 23, 2020, 1:26am

I agree, IPv4 was tried first and that failed.
The next place to look is the firewall(s).

Makise · September 23, 2020, 1:47am

OK, I will raise an issue to my ISP.
Thx~

system · October 23, 2020, 1:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.