We’ve run into a small issue where we cannot access https://acme-staging-v02.api.letsencrypt.org/directory from our IP block to issue or to renew SSL certs via certbot/acme.sh (or even plain old wget/curl does not work).
We can ping and get responses for HTTP however, for HTTPS we do not get any responses and the certificate issuance times out and fails.
If we change our IP to something out of this block, say for example 180.x.x.x there are no issues and we can issue/renew the certificates without any issues.
Furthermore, we’re able to use buypass.com with 103.x.x.x/25 without any issues.
We’ve a few servers on this netblock that has upcoming renewals and would like to resolve this issue before that
Can you try drop MTU to 1300? Though I understand that your other block doesn't have the problem, the path might not be the same for both and MTU breaks somewhere along the way tend to affect TLS more than cleartext traffic.
here is a “workaround”
if you have a clear sight to another trusted system running nginx
add all below to end of nginx.conf
or just add server section to an already exising stream section
then “redirect” acme-staging-v02.api.letsencrypt.org via hosts file
or via a locally managed DNS system to your “proxy”.
you will connect to acme server "in"directly but without TLS inspection and without MiTM.
stream {
server {
listen 12345; #any UNUSED local port allowed through firewall
proxy_pass acme-staging-v02.api.letsencrypt.org:443; #proxies all requests to the actual server
}#server
}#stream