[Solved] Unable to access https://acme-staging-v02.api.letsencrypt.org/directory

gunemalli · October 21, 2019, 12:42am

Hi All,

We’ve run into a small issue where we cannot access https://acme-staging-v02.api.letsencrypt.org/directory from our IP block to issue or to renew SSL certs via certbot/acme.sh (or even plain old wget/curl does not work).

We can ping and get responses for HTTP however, for HTTPS we do not get any responses and the certificate issuance times out and fails.

The same issue exists if we tried https://acme-staging-v02.api.letsencrypt.org/directory.

Our IP block is 103.x.x.x/25

If we change our IP to something out of this block, say for example 180.x.x.x there are no issues and we can issue/renew the certificates without any issues.

Furthermore, we’re able to use buypass.com with 103.x.x.x/25 without any issues.

We’ve a few servers on this netblock that has upcoming renewals and would like to resolve this issue before that

Thanks in advance.

_az · October 21, 2019, 12:53am

Can you try drop MTU to 1300? Though I understand that your other block doesn't have the problem, the path might not be the same for both and MTU breaks somewhere along the way tend to affect TLS more than cleartext traffic.

rg305 · October 21, 2019, 1:00am

Can you proxy your requests via multiple proxies (round robin)?

gunemalli · October 21, 2019, 1:20am

You’re right on the money mate. After dropping to 1300 works without any issues. I will check the others as well and update here.

rg305 · October 21, 2019, 1:23am

Unless you can add that to your script, you are “adjusting” production systems…
Even then you are still doing it just momentarily.

gunemalli · October 21, 2019, 1:29am

Thanks rg305, yes I now need to fix the production systems using this netblock cos we found out there’s a limitation with the upstream route.

We had several issues with other services as well and this was right on the money.

rg305 · October 21, 2019, 1:31am

here is a “workaround”
if you have a clear sight to another trusted system running nginx
add all below to end of nginx.conf
or just add server section to an already exising stream section
then “redirect” acme-staging-v02.api.letsencrypt.org via hosts file
or via a locally managed DNS system to your “proxy”.
you will connect to acme server "in"directly but without TLS inspection and without MiTM.

stream {
  server {
    listen 12345;                                        #any UNUSED local port allowed through firewall
    proxy_pass acme-staging-v02.api.letsencrypt.org:443; #proxies all requests to the actual server
  }#server
}#stream

system · November 20, 2019, 1:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.