Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable

Hi, I ran into a similar issue fo this topic

and I think my IP subnets could be blocked.

I have tried everything in the post and can't get it working. The issue persist for an entire subnet ( multiple subnets actually ) so I don't think is something relative to a single server or configurations.

I also offer hosting services and maybe a misuse of those IPs could have lead to the block.

If you could help me by checking the filtering of those IP I would be immensely grateful.
subnets are:

185.203.127.0/27
185.49.57.128/26
185.49.57.80/28
185.203.125.0/25
185.203.125.128/25

if I run

curl -v ping acme-v02.api.letsencrypt.org

  • processing: ping
  • Could not resolve host: ping
  • Closing connection
    curl: (6) Could not resolve host: ping
  • processing: acme-v02.api.letsencrypt.org
  • Trying 172.65.32.248:80...
  • Trying [2606:4700:60:0:f53d:5624:85c7:3a2c]:80...
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network Unreachable

That should be:
curl -v acme-v02.api.letsencrypt.org

Try these:
traceroute -T -p 443 www.google.com
traceroute -T -p 443 acme-v02.api.letsencrypt.org

4 Likes

Doubtful.
I think there is a routing problem at your end.

5 Likes

That should be
curl -v https://acme-v02.api.letsencrypt.org

that endpoint only supports https

3 Likes

traceroute -T -p 443 www.google.com
traceroute to www.google.com (142.250.180.164), 30 hops max, 60 byte packets
1 _gateway (10.0.0.1) 0.415 ms 0.312 ms 0.246 ms
2 10.2.0.1 (10.2.0.1) 0.581 ms 0.483 ms 0.414 ms
3 10.204.1.1 (10.204.1.1) 1.008 ms 1.274 ms 1.478 ms
4 10.190.104.9 (10.190.104.9) 1.792 ms 1.732 ms 2.179 ms
5 10.190.1.5 (10.190.1.5) 2.177 ms 2.068 ms 2.053 ms
6 46.31.105.97 (46.31.105.97) 2.496 ms 1.738 ms 1.813 ms
7 46.31.104.97 (46.31.104.97) 3.485 ms 3.388 ms 3.401 ms
8 46.31.104.123 (46.31.104.123) 10.323 ms 9.917 ms 10.280 ms
9 google.mix-it.net (217.29.66.96) 10.544 ms 10.081 ms 11.704 ms
10 192.178.104.189 (192.178.104.189) 11.141 ms 192.178.104.101 (192.178.104.101) 10.304 ms 192.178.104.189 (192.178.104.189) 11.021 ms
11 142.250.211.23 (142.250.211.23) 11.066 ms 142.250.211.21 (142.250.211.21) 9.953 ms 15.820 ms
12 mil04s44-in-f4.1e100.net (142.250.180.164) 15.308 ms 15.733 ms 15.670 ms

traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 _gateway (10.0.0.1) 0.411 ms 0.386 ms 0.376 ms
2 * * *
3 * * *
4 * * *
..
30 * * *

unfortunately I get immediate fail

curl -v https://acme-v02.api.letsencrypt.org

  • Trying 172.65.32.248:443...
  • TCP_NODELAY set
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...

This indicates

5 Likes

This looks like that gateway doesn't know how to route packets to Let's Encrypt's IP. Sometimes because they are using an IP that's "nearby" the private 172.16.0.0/12 block, a misconfiguration in a firewall or routing table makes it think that it's supposed to directing packets somewhere locally when really it should be trying to send them to the public Internet.

And that indicates that your IPv6 connectivity is broken.

Fixing either your IPv4 or IPv6 connectivity would probably be enough for you to get to Internet sites like Let's Encrypt's, though fixing both would of course be ideal.

6 Likes

Hi, I checked thoroughly my firewall configs and there was a misconfiguration due to a local 172.16.xx subnet as you suggested.

Thanks for the help. Appreciate that

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.