[solved] Probably my addresses was banned

alabor · October 27, 2017, 1:01pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:voice.wiland.ru

I ran this command:
curl https://acme-v01.api.letsencrypt.org/directory
It produced this output:
curl: (35) TCP connection reset by peer
My web server is (include version):

The operating system my web server runs on is (include version):rh 2.6.32-696.el6.x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

rg305 · October 28, 2017, 12:14am

Is this still ongoing and consistent?
Please show the IP resolved for acme-v01.api.letsencrypt.org.
It seems to be working fine from where I'm sitting; at least to IP 23.32.132.37.

schoen · October 28, 2017, 2:34am

It could be related to

if the ACME endpoint also shares an IP address on Akamai with a service that the Russian government is trying to block Internet users from accessing. (This is a different symptom than the person in that thread reported, though.)

alabor · October 30, 2017, 3:30pm

curl_8025021512.pcapng (6.2 KB)

[root@web ~]# traceroute acme-v01.api.letsencrypt.org
traceroute to acme-v01.api.letsencrypt.org (2.23.157.115), 30 hops max, 60 byte packets
1 80.250.215.61 (80.250.215.61) 0.187 ms 0.263 ms 0.217 ms
2 10.129.0.15 (10.129.0.15) 1.097 ms 1.008 ms 1.193 ms
3 176.74.8.80 (176.74.8.80) 17.594 ms 17.520 ms 17.516 ms
4 10.128.0.1 (10.128.0.1) 2.321 ms 2.341 ms 2.345 ms
5 mskn06.msk112.transtelecom.net (217.150.45.178) 3.085 ms 3.113 ms 3.198 ms
6 transtelecom-ic-303467-s-b3.c.telia.net (213.248.99.222) 23.792 ms 21.535 ms 22.970 ms
7 s-b3-link.telia.net (213.248.99.221) 23.265 ms 21.702 ms 22.960 ms
8 2.23.157.115 (2.23.157.115) 22.703 ms 22.664 ms 21.310 ms

[root@web ~]# curl -v -4 https://acme-v01.api.letsencrypt.org/directory

About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
Trying 2.23.157.115…
Connected to acme-v01.api.letsencrypt.org (2.23.157.115) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
NSS error -5961 (PR_CONNECT_RESET_ERROR)
TCP connection reset by peer
Closing connection 0
curl: (35) TCP connection reset by peer

https://eais.rkn.gov.ru/en I checked everything is clean.

There is trace in attachment (do not pay attention that the packets are duplicated, wrote down from two interfaces)

if I change the ip address from another subnet on the same machine, everything works…

bytecamp · October 30, 2017, 3:50pm

There is another thread which had problems with transtelecom: OSCP servers are inaccesible from some servers - #14 by schoen

schoen · October 30, 2017, 4:55pm

Note that the IP addresses that I offered in the other thread were for ocsp.int-x3.letsencrypt.org rather than acme-v01.api.letsencrypt.org, although both are hosted by Akamai. (CDN IP addresses intended for use with one hosted service won't necessarily work for other services hosted by the same CDN, although they might.) A few IP addresses that I can see for acme-v01.api.letsencrypt.org from the United States are

23.77.91.5
2600:1404:27:298::3d5
2600:1404:27:285::3d5

alabor · October 31, 2017, 1:01pm

[root@web ~]# traceroute acme-v01.api.letsencrypt.org
traceroute to acme-v01.api.letsencrypt.org (23.77.91.5), 30 hops max, 60 byte packets
1 80.250.215.61 (80.250.215.61) 0.209 ms 0.192 ms 0.240 ms
2 10.129.0.15 (10.129.0.15) 1.013 ms 1.087 ms 1.188 ms
3 176.74.8.80 (176.74.8.80) 2.233 ms 2.454 ms 2.413 ms
4 ae11-238.RT.MR.MSK.RU.retn.net (87.245.253.81) 2.612 ms 2.567 ms 2.561 ms
5 ae1-5.RT.IRX.FKT.DE.retn.net (87.245.232.245) 38.040 ms 38.141 ms 38.140 ms
6 213.198.77.213 (213.198.77.213) 38.983 ms 37.901 ms 37.806 ms
7 ae-24.r24.frnkge08.de.bb.gin.ntt.net (129.250.3.217) 38.326 ms 38.147 ms 38.076 ms
8 ae-5.r24.londen12.uk.bb.gin.ntt.net (129.250.3.12) 51.603 ms 50.387 ms 51.480 ms
9 ae-8.r02.londen03.uk.bb.gin.ntt.net (129.250.4.22) 50.036 ms 49.930 ms 52.655 ms
10 67.111.22.80.ptr.us.xo.net (67.111.22.80) 50.117 ms 48.941 ms 52.227 ms
11 207.88.13.56.ptr.us.xo.net (207.88.13.56) 177.344 ms 169.366 ms 177.700 ms
12 207.88.12.211.ptr.us.xo.net (207.88.12.211) 188.405 ms 188.352 ms 183.567 ms
13 207.88.12.208.ptr.us.xo.net (207.88.12.208) 168.124 ms 177.552 ms 177.678 ms
14 207.88.13.123.ptr.us.xo.net (207.88.13.123) 177.979 ms 175.641 ms 174.265 ms
15 207.86.208.34 (207.86.208.34) 174.996 ms 174.944 ms 176.900 ms
16 acme-v01.api.letsencrypt.org (23.77.91.5) 171.861 ms 174.190 ms 174.028 ms

[root@web ~]# curl -v -4 https://acme-v01.api.letsencrypt.org/directory

About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
Trying 23.77.91.5…
Connected to acme-v01.api.letsencrypt.org (23.77.91.5) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
NSS error -5961 (PR_CONNECT_RESET_ERROR)
TCP connection reset by peer
Closing connection 0
curl: (35) TCP connection reset by peer

alabor · October 31, 2017, 1:31pm

ocsp.int-x3.letsencrypt.org works without problems
[root@web ~]# curl -v -4 ocsp.int-x3.letsencrypt.org

About to connect() to ocsp.int-x3.letsencrypt.org port 80 (#0)
Trying 188.43.76.81...
Connected to ocsp.int-x3.letsencrypt.org (188.43.76.81) port 80 (#0)

GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: ocsp.int-x3.letsencrypt.org
Accept: /

< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: text/plain; charset=utf-8
< Content-Length: 0
< Cache-Control: max-age=16317
< Expires: Tue, 31 Oct 2017 18:00:40 GMT
< Date: Tue, 31 Oct 2017 13:28:43 GMT
< Connection: keep-alive
<

Connection #0 to host ocsp.int-x3.letsencrypt.org left intact

alabor · October 31, 2017, 1:43pm

but if I change the ip-address on the same machine from another subnet everything works fine. The route is the same. (see the attachment)changeIP.txt (4.1 KB)

what’s the problem? please help…

rg305 · October 31, 2017, 3:11pm

It seems that one subnet is blocked from accessing 23.77.91.5:443 while the other is not.
This does not appear to be a certificate issue nor a renewal configuration issue.
It seems more like a firewall/network related issue - either at your end or somewhere along the path; hard to say and even harder to troubleshoot when you not anywhere in that path.
Sorry…
But maybe someone else here can help troubleshoot this.

alabor · November 3, 2017, 7:24am

all thanks, the problem was solved. On our node equipment was exposed mtu 1496. Somewhere on the road there was no support for fragmentation, probably in my side.

system · December 3, 2017, 7:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Please unblock my IP Address Help	17	989	December 1, 2023
Please check if IP 45.149.128.6 is blocked, please unblock Help	25	2161	January 19, 2022
I think my Server IP is blocked or something Help	11	539	September 15, 2023
Acme.sh: connection reset by peer Help	43	1174	April 13, 2023
IP blocked? reset by peer Help	4	81	April 16, 2025

[solved] Probably my addresses was banned

Related topics