Adding to @webprofusion's post
Here is a comparison of a few ACME CAs
Adding to @webprofusion's post
I've already tried Also by zerossl it's not being possible to generate certificates for domains sp.gov.br I'm starting to believe that there is some problem in let's Encrypted too. Does zero ssl use Let's?
No; they are their own separate Certificate Authority.
If you get a similar error, it might be a stronger confirmation that (at least some of) the Prodesp DNS servers intentionally block foreign addresses, are having an outage, or are overloaded.
As @Bruce5051 said, ZeroSSL is a totally separate certificate authority with totally separate infrastructure (but using the same ACME technology).
I was able to partially solve our problem using your tip
I created three certificates using Buy pass go, now I have time to find some replacement for my other 15 domains that will expire soon that are from Let's.
I understand Prodesp's position to mitigate attacks, but if the blockade is intentional does not seem to make sense to me, since many municipalities use cloud solutions that may have IPs abroad, but anyway I think the definitive exit is to migrate to Pereirabrereto .com.br that has management of registration.br when acotence these problems with Prodesp sometimes goes months until it solves ... I think it will fall the use of Let's Encrypt in Brazil since São Paulo is the largest state in the country.
ICANN Lookup with sp.gov.br as the input is still showing:
and https://dnsspy.io/scan/sp.gov.br is showing:
@schoen Yesterday my Secretary who has been working with Information Technology for 28 years gave us an insight into what could be causing the DNS validation problems. He said: Could this problem be due to ANATEL's attempts to block illegal IPTV in the country?
see the news
End of Gatonet: Anatel starts blocking and says that customers already complain... - See more at Anatel diz que TV Box pirata já está sendo bloqueada; entenda
Piracy is a crime and must be fought but net neutrality in Brazil is over, as the very freedom of the people has been taken away in recent years, the world needs to question the violations of civil rights in this country, but this is not the focus of the forum me sorry...
It sounds like Anatel tells backbones to block specific IP addresses?
Se as denúncias procederem, as operadoras de backbone do Brasil são acionadas. São essas empresas que conectam a internet do Brasil com a do mundo. Tercius explica que elas é que realizarão o bloqueio por IP [espécie de RG de aparelhos conectados à internet], protocolos usados pelas TV Box e "múltiplas técnicas". A Anatel não revela que "múltiplas técnicas" são essas.
Is it possible to find out exactly what Anatel is telling the backbone operators to block? I guess the secretary might be envisioning that backbone operators are told to block an entire /24 network or something?
I feel like the article wasn't very rich in technical detail, as it mentioned dynamic IP addresses of residential customers as an obstacle to blocking here (seems unlikely to me), compared IP and MAC addresses to RG and CPF numbers (interesting but not super-technically-precise analogies), and suggested that Anatel could cause devices to be blocked by MAC address (behind customers' own NAT routers?!!?), in addition to the general underlying issue that "[a] Anatel não revela que 'múltiplas técnicas' são essas", so the journalists don't even know the precise blocking methods being used.
How do you think Anatel would react if people wrote to it from various entities to ask whether this could be causing the issues in question? I should probably not attempt to do it because, apart from the fact that I'm a foreigner and not their "constituent", it would be hard for me to conceal my strong frustration with the fact that they're doing this at all. Maybe one of the state IT companies could contact them?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.