[SOLVED] Failed to connect to acme-v02.api.letsencrypt.org port 443 after 3064 ms: Couldn't connect to server

I'm trying to get a cerificate for the domain znc.likogan.dev as the owner of the domain likogan.dev
The VPS I'm using, times out when connecting to https://acme-v02.api.letsencrypt.org/directory

My domain is: znc.likogan.dev

My web server is (include version): Node Proxy Manager w/ nginx version: openresty/1.21.4.2

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is: Not applicable (VPS)

I can login to a root shell on my machine (yes or no, or I don't know): Yes, I have root login

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I use Node Proxy Manager

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.5.0

Output from Node Proxy Manager (email has been modified to help fight against email crawlers)

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-15" --agree-tos --authenticator webroot --email "admin (at) likogan (dot) dev" --preferred-challenges "dns,http" --domains "znc.likogan.dev" 
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

ping 172.65.32.248

root@lduslvp84:~# ping 172.65.32.248
PING 172.65.32.248 (172.65.32.248) 56(84) bytes of data.
From 172.65.0.1 icmp_seq=1 Destination Host Unreachable
From 172.65.0.1 icmp_seq=2 Destination Host Unreachable
From 172.65.0.1 icmp_seq=3 Destination Host Unreachable
^C
--- 172.65.32.248 ping statistics ---
6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5097ms
pipe 4

curl -vvv https://acme-v02.api.letsencrypt.org/directory

root@lduslvp84:~# curl -vvv https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
*   Trying [2606:4700:60:0:f53d:5624:85c7:3a2c]:443...
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
* connect to 172.65.32.248 port 443 failed: No route to host
* Failed to connect to acme-v02.api.letsencrypt.org port 443 after 3064 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443 after 3064 ms: Couldn't connect to server

My DNS server is functional (1.1.1.1, 208.67.222.222, 208.67.220.220) (cloudflare & opendns)
nslookup acme-v02.api.letsencrypt.org

root@lduslvp84:~# nslookup acme-v02.api.letsencrypt.org
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org    canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org        canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name:   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: **172.65.32.248**
Name:   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c

The last time it was known to be working was the 6th of October of this year, just a couple weeks ago.

My home computer works fine connecting to acme-v02.api.letsencrypt.org. Is it possible the IP 209.141.44.84 has been banned? Its seems unlikely but it's the only reason I can think of. Even pings aren't transmitted.

It looks like your system can't connect to 172.65 addresses. We've seen several cases where computers or networks somehow thought that it was part of their private IP space even though it's actually public IP space (which Let's Encrypt's servers are in). You need to look at your computer's (and/or network's) routing table.

(And it also looks like your system can't connect to IPv6 addresses, which ideally would also be fixed.)

Thank you for pointing this out!

I know why my system, (and likely others,) are having this issue.

The default docker subnet is 172.16.0.0. When you create other networks, you can specify which subnet you want. I had made a docker network with the subnet 172.65.0.0/24. It's trying to route the connection through my docker network!

Well, that would do it, yes. And for others having the issue, whether docker is involved or not they similarly somehow thought it was an IP they could use but of course that prevents them from connecting to public IPs in that space.

172.31 is private

172.32 and so on is definitely not private.

Thanks! I'll make sure to never make a docker host above 172.32 again

Or use one of the more "n00b-proof" private IPv4 subnets. The 172.16.0.0/12 (172.16.0.0 to 172.31.255.255) can be hard to understand for people lacking proper network subnetting skills.

The ranges 192.168.0.0/16 (192.168.0.0 to 192.168.255.255) and 10.0.0.0/8 (10.0.0.0 to 10.255.255.255) are simpler in that matter.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.