[Solved] Unable to access https://acme-staging-v02.api.letsencrypt.org/directory

Hi All,

We’ve run into a small issue where we cannot access https://acme-staging-v02.api.letsencrypt.org/directory from our IP block to issue or to renew SSL certs via certbot/acme.sh (or even plain old wget/curl does not work).

We can ping and get responses for HTTP however, for HTTPS we do not get any responses and the certificate issuance times out and fails.

The same issue exists if we tried https://acme-staging-v02.api.letsencrypt.org/directory.

Our IP block is 103.x.x.x/25

If we change our IP to something out of this block, say for example 180.x.x.x there are no issues and we can issue/renew the certificates without any issues.

Furthermore, we’re able to use buypass.com with 103.x.x.x/25 without any issues.

We’ve a few servers on this netblock that has upcoming renewals and would like to resolve this issue before that :slight_smile:

Thanks in advance.

1 Like

Can you try drop MTU to 1300? Though I understand that your other block doesn’t have the problem, the path might not be the same for both and MTU breaks somewhere along the way tend to affect TLS more than cleartext traffic.

1 Like

Can you proxy your requests via multiple proxies (round robin)?

You’re right on the money mate. After dropping to 1300 works without any issues. I will check the others as well and update here.

1 Like

Unless you can add that to your script, you are “adjusting” production systems…
Even then you are still doing it just momentarily.

1 Like

Thanks rg305, yes I now need to fix the production systems using this netblock cos we found out there’s a limitation with the upstream route.

We had several issues with other services as well and this was right on the money.

1 Like

here is a “workaround”
if you have a clear sight to another trusted system running nginx
add all below to end of nginx.conf
or just add server section to an already exising stream section
then “redirect” acme-staging-v02.api.letsencrypt.org via hosts file
or via a locally managed DNS system to your “proxy”.
you will connect to acme server "in"directly but without TLS inspection and without MiTM.

stream {
  server {
    listen 12345;                                        #any UNUSED local port allowed through firewall
    proxy_pass acme-staging-v02.api.letsencrypt.org:443; #proxies all requests to the actual server
  }#server
}#stream
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.