Server cannot issue let's encrypt certificate

Hello Team,

we have an issue about the generation of ssl certificates let’s encrypt for the domains of our clients hosted under our server,
The solution used is plesk under linux and at each generation temptation the following error is displayed;

Could not issue an SSL/TLS certificate for vkconsulting.dz
Details

Could not issue a Let's Encrypt SSL/TLS certificate for vkconsulting.dz.

Failed to connect to the Let's Encrypt server https://acme-v02.api.letsencrypt.org.

Please try again later or report the issue to support.

Details

Could not obtain directory: cURL error 7: Failed to connect to 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable (see libcurl - Error Codes)

several actions have been implemented by our security team which are:

• the deactivation of the anti-ddos
• whitelist of server addresses let’s encrypt,

But the issue still persist , and we highly doubt that the IP of our server is blocked or blocklisted because another server in the same address pool that this server does not have any problems when generating or renewing

below are the result of curl/ telnet also traceroute toward IP let's encrypt 172.65.32.248 : there are 2 traceroute test with plesk linux ssl1 server with the issue & plesk ssl0 with no issue

Inkedcurl_telnet_tracerout_LI960×452 41 KB

Please provide us a quick support on the above ,

Many thanks !!!

Hi @mohamed95, and welcome to the LE community forum

Your tests are all on IPv4.
But the failure is via IPv6:

Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Addresses: 2606:4700:60:0:f53d:5624:85c7:3a2c
172.65.32.248
Aliases: acme-v02.api.letsencrypt.org
prod.api.letsencrypt.org

Your system is trying to use IPv6 to reach LE.

Hello @rg305 ,

Thank you for your quick response , yeah the error message shows that the failure is on IPV6 ,

But the curl / telnet / traceroute are based on IPv4 and the server cannot reach the IP server of let's encrypt

that's why suspect that there is block from let's encrypt or restrictions are made to our server IP since the other plesk server is not facing the same issue (IPs are on the same subnets, securtity applied is identical ,

Inkedcurl_telnet_tracerout_LI960×452 41 KB

Looking forward to your comments ,

Then there may be multiple problems [IPv6 and IPv4].

Try:
traceroute -T -p 443 172.65.32.248
traceroute --mtu -enf 5 -T -p 443 172.65.32.248

Hello @rg305,

This is duly noted , we will share the results asap ,
As i said above , we suspect that there is a restrictions from LE side on our server ,

I will revert back shortly,

thank you again

Hello , those are the results of the commands : for the 2 servers ssl1 with issue ,and ssl0 with no issue , i can see that the packets are correctly routed on the ssl0 server

InkedMergeResult_2022_09_05_12_14_16_LI1583×932 115 KB

Your feedback will be much appreciated

That confirms you can reach the LE server using IPv4. The error was caused by using IPv6 though. What ACME client are you using to request the cert? Is it the Plesk extension?

Also, what does this show

curl -6 -vvv https://acme-v02.api.letsencrypt.org/directory

Only show first 10 lines or so if the result is an HTTP 200 response

Hello Mike ,

yes it is via an extension installed on our plesk named sslit

For the command , i will revert back soon ,

hello Team,

The result of curl ipv6

curl_ipv6983×177 9.03 KB

appending your reply

That's the same error you showed from the Plesk extension in your first post.

So, you either need to fix your IPv6 config or find how to make that extension use IPv4 instead.

Does IPv6 work on your system?
If not, you should fix it, or stop using it [remove it].

Hello Team,

Thank you for your response , but we did notice that the blocking to the LE server is random from our plesk linux

sometimes it works and sometimes it doesn’t , as you see below , and highly suspect that there is a block from LE ,

We have checked with our security team , all restrictions has been removed in order to check but unfortunetly the issue still persist

curl_ssl1564×535 257 KB

We appreciate your help

I'm not sure how a block from LE would result in on/off-like behaviour? If LE blocked your IP address, it just wouldn't work, right?

And, did you ever get the IPv6 problem resolved? Because your first post has your Plesk system trying IPv6.

Let's Encrypt ACME servers have both IPv4 and IPv6 addresses in the DNS. Do you need to tell Plesk not to use the IPv6 address if you don't have your network configured for it? (I saw an old bug in the Plesk extension about this)

Hello Mike ,

The IPv6 service was stopped but the issue still persist unfortunetly ,

Those tests look like intermittent network failures affecting outbound requests.

Your first nc test worked but the second failed
Your first telnet test worked but the second failed
Your one ping test failed

What if you try some other outbound requests like:

curl -I http://one.one.one.one

Note that one.one.one.one might return IPv4 and IPv6 addresses.:

Name:      one.one.one.one
Addresses: 2606:4700:4700::1111
           2606:4700:4700::1001
           1.1.1.1
           1.0.0.1

A human mind might read one.one.one.one and see an IPv4 address of 1.1.1.1 [only].

Will watch. They said they disabled IPv6 and all the other tests defaulted to IPv4. Still, you are right. I probably should have said to try both of these (or used -v to see what was used):

curl -I4 http://one.one.one.one
curl -I6 http://one.one.one.one

Milage May Vary:
nslookup one.one.one.one familyshield.opendns.com

Name:      one.one.one.one
Addresses: 146.112.61.106
           146.112.61.106

Name:    hit-adult.opendns.com
Address: 146.112.61.106

[Blocked for ADULT content! - LOL]

I'm sure some passes through Cloudflare <g>
although I doubt poster is using that DNS server

@mohamed95 So let's try this domain instead. Just curious about your connections as you have made some changes (this domain also uses Cloudflare)

curl -4 https://ifconfig.co
curl -6 https://ifconfig.co