Sever can't access Letsencrypt

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:khulisa.com - server failing is proxy.khulisa.com

I ran this command:certbot renew

It produced this output:
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Attempting to renew cert (tangerine.khulisa.com) from /etc/letsencrypt/renewal/tangerine.khulisa.com.conf produced an unexpected error: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable. Skipping.

Processing /etc/letsencrypt/renewal/www.dfbakery.co.za.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Attempting to renew cert (www.dfbakery.co.za) from /etc/letsencrypt/renewal/www.dfbakery.co.za.conf produced an unexpected error: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tangerine.khulisa.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.dfbakery.co.za/fullchain.pem (failure)

My web server is (include version):nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Explanation
I realise this has been posted numerous times but either topic peters out with no conclusion or it is not a solution to my issue. It would appear my server is being denied access to Letsencrypt.
Setup is a Nginx reverse proxy that has 1 site being served directly and 3 servers proxied. About a week ago I got an email stating that one of the proxied sites certs were about to expire. Running a renew produces the above error.

I can’t ping acme-v02.api.letsencrypt.org from the proxy server but I can ping it from one of servers being proxied. Output of ping

root@odk:~#ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=58 time=1.89 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=58 time=2.03 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=3 ttl=58 time=1.99 ms

root@proxy:~# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
^C
— ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics —
39 packets transmitted, 0 received, 100% packet loss, time 38899ms

Output of curl
root@odk:~# curl https://acme-v02.api.letsencrypt.org/directory
{
“MRuS7adnlwA”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: https://acme-v02.api.letsencrypt.org/acme/revoke-cert

root@proxy:~# curl https://acme-v02.api.letsencrypt.org/directory
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

I have tried changing the IP of the Proxy server but it didn’t help. Is there any other info I can provide for assistance?

1 Like
2

What does “curl -v https://acme-v02.api.letsencrypt.org/directory” show on both systems?

1 Like
3

I only pasted the first few lines from Proxy as it seemed like it would go indefinitely

root@odk:~# curl -v https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248...
  • TCP_NODELAY set
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=acme-v01.api.letsencrypt.org
  • start date: Feb 6 18:06:22 2020 GMT
  • expire date: May 6 18:06:22 2020 GMT
  • subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
  • issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x555926715580)

GET /directory HTTP/2
Host: acme-v02.api.letsencrypt.org
User-Agent: curl/7.58.0
Accept: /

root@proxy:~# curl -v https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248...
  • TCP_NODELAY set
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
1 Like
4

I believe that you successfully tested to reach other sites than the ACME boulder server from your proxy, don’t you? (both IPv4 and IPv6)

5

I had not tried that. It seems a mixed bag. I could ping answers.microsoft.com from the other server

root@proxy:~# ping cloud.ibm.com
PING cloud.ibm.com (104.75.215.93) 56(84) bytes of data.
64 bytes from a104-75-215-93.deploy.static.akamaitechnologies.com (104.75.215.93): icmp_seq=1 ttl=59 time=2.13 ms
64 bytes from a104-75-215-93.deploy.static.akamaitechnologies.com (104.75.215.93): icmp_seq=2 ttl=59 time=2.40 ms
64 bytes from a104-75-215-93.deploy.static.akamaitechnologies.com (104.75.215.93): icmp_seq=3 ttl=59 time=2.20 ms
^C
— cloud.ibm.com ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.139/2.248/2.403/0.118 ms
root@proxy:~# ping answers.microsoft.com
PING e763.b.akamaiedge.net (104.127.116.31) 56(84) bytes of data.
^C
— e763.b.akamaiedge.net ping statistics —
4 packets transmitted, 0 received, 100% packet loss, time 3066ms

root@proxy:~# ping dailymail.co.uk
PING dailymail.co.uk (104.82.240.122) 56(84) bytes of data.
64 bytes from a104-82-240-122.deploy.static.akamaitechnologies.com (104.82.240.122): icmp_seq=1 ttl=49 time=174 ms
64 bytes from a104-82-240-122.deploy.static.akamaitechnologies.com (104.82.240.122): icmp_seq=2 ttl=49 time=174 ms
64 bytes from a104-82-240-122.deploy.static.akamaitechnologies.com (104.82.240.122): icmp_seq=3 ttl=49 time=174 ms
^C
— dailymail.co.uk ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 174.548/174.689/174.774/0.355 ms

6

What about test result using ping6?
What does curl -4 -v https://acme-v02.api.letsencrypt.org/directory shows on the system proxy?

7

curl
root@proxy:~# curl -4 -v https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248…
  • TCP_NODELAY set
    ^C
    root@proxy:~#

It just seems to hang there so I cancelled. ipv6 is not setup on either system

8

Does the curl working to other sites, or only the ping on the system proxy?
For example curl -v http://dailymail.co.uk?

9

Again a mixed bag. Didn't work to dailymail.co.uk or www.anandtech.com but worked to local odk system and www.mg.co.za.

root@proxy:~# curl -v http://www.anandtech.com

root@odk:~# curl -v http://www.anandtech.com

GET / HTTP/1.1
Host: www.anandtech.com
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 301 Moved Permanently
< Server: AkamaiGHost
< Content-Length: 0
< Location: https://www.anandtech.com/
< Date: Fri, 21 Feb 2020 15:44:02 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=3600
<

odk system curl works to all 4 sites, do you want more output?

10

I notice both dailymail.co.uk and www.anandtech.com seem to be hosted by Akamai

root@odk:~# curl -v http://www.anandtech.com

GET / HTTP/1.1
Host: www.anandtech.com
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 301 Moved Permanently
< Server: AkamaiGHost
< Content-Length: 0
< Location: https://www.anandtech.com/
< Date: Fri, 21 Feb 2020 16:00:40 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=3600
<

Is the proxy server maybe being blocked?

11

I can now access other Akamai sites from proxy.khulisa.com. Curl runs successfully against www.anandtech.com and dailymail.co.uk but still does not against https://acme-v02.api.letsencrypt.org/directory

Odk.khulisa.com can access https://acme-v02.api.letsencrypt.org/directory

root@proxy:/etc/letsencrypt# curl -4 -v https://acme-v02.api.letsencrypt.org/directory

GET / HTTP/1.1
Host: www.anandtech.com
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 301 Moved Permanently
< Server: CloudFront
< Date: Wed, 26 Feb 2020 12:00:56 GMT
< Content-Type: text/html
< Content-Length: 183
< Connection: keep-alive
< Location: https://www.anandtech.com/
< X-Cache: Redirect from cloudfront
< Via: 1.1 51d16867ea09d1b4c52eca0e090ad4a3.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: AMS54-C1
< X-Amz-Cf-Id: cs7QzemkfWUdi8r-KKHydSbsS6rZeq0ebMKcShd8o-l-VW2qRjq92Q==
<

301 Moved Permanently

301 Moved Permanently

CloudFront * Connection #0 to host www.anandtech.com left intact
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.