Suspect IP is blocked?

fireflyoz · October 30, 2023, 5:12am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
wedge.fireflydigital.dev
office.fi.net.au

I ran this command:
curl -i https://acme-v02.api.letsencrypt.org/directory

It produced this output:
curl: (35) Recv failure: Connection reset by peer

My web server is (include version):
Apache 2.4.6

The operating system my web server runs on is (include version):
Centos 7

My hosting provider, if applicable, is:
Binary Lane

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes - Virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

I've tested this from my server and from my local computer with VPN connected. Everything was working fine until very recently. No configuration changes. All of a sudden we can't get certificates issued.

mcpherrinm · October 30, 2023, 5:15am

I can check if an IP is blocked but you’ll have to post what IP you’d like checked.

I don’t think we’ve blocked any IPs recently, though.

fireflyoz · October 30, 2023, 5:23am

Thanks!

203.219.111.2
112.213.36.106

fireflyoz · October 30, 2023, 5:27am

The reason I suspected an IP block is this command does different things depending on whether I'm connected to my office network or not:

connected via one of the IPs previously listed:

ccarey:~$> curl -i https://acme-v02.api.letsencrypt.org/directory
curl: (35) Recv failure: Connection reset by peer

connected via 5G hotspot:

ccarey:~$> curl -i https://acme-v02.api.letsencrypt.org/directory
HTTP/2 200 
server: nginx
date: Mon, 30 Oct 2023 05:24:53 GMT
content-type: application/json
content-length: 752
cache-control: public, max-age=0, no-cache
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "kpfWrYICk4k": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}%

fireflyoz · October 30, 2023, 5:32am

it's a bit inconsistent, though - it fails/times out even without the VPN about half the time.

rg305 · October 30, 2023, 5:35am

acme-v02.api.letsencrypt.org is on Cloudflare.
Maybe there is some issue there???
Recall that CF is a global CDN and different paths reach different systems.
Maybe only one, or a few, are having this problem.

rg305 · October 30, 2023, 5:40am

@fireflyoz, do you need a cert right away?

CrowdCon · October 30, 2023, 5:52am

I'm having the same issue on my Linode servers.

Running certbot --force-renew was getting Connection reset by peer errors.

I kept running the command and eventually an attempt worked.

After a working attempt, I tried again and continued to get Connection reset by peer.

rg305 · October 30, 2023, 5:54am

@CrowdCon, please open a separate topic thread for your issue.
Also: Don't use --force-renew unless you know when/why it is used and you actually need to use it.

fireflyoz · October 30, 2023, 6:15am

This connects fine

curl -I https://www.cloudflare.com

I don't need a cert immediately -- do you think it's a transient server-side problem that might clear on its own?

rg305 · October 30, 2023, 7:22am

Yes, I do.

ramidzkh · October 30, 2023, 7:28am

I've been having a similar issue with TLS stalling, also in Australia (ISP is Telstra). You can try your luck with --server https://acme-staging-v02.api.letsencrypt.org/directory

rg305 · October 30, 2023, 7:31am

Cloudflare Status
Shows:

fireflyoz · October 30, 2023, 7:38pm

Well, that Cloudflare issue shows resolved today, and the problem at my end seems to have gone away, which is a big relief!

Thanks all for checking this out.

jvanasco · October 30, 2023, 7:55pm

Historically, nearly every "IP Block" complaint here has been due to routing misconfigurations on a network belonging to the Client (LetsEncrypt Subscriber) or their ISP.

IP Blocks do happen, but are rare. Checking networks to see where the connectivity drops off should be the first step in troubleshooting.

system · November 29, 2023, 7:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I think my IP is blocked Help	20	1225	February 7, 2023
IP blocked? reset by peer Help	4	69	April 16, 2025
My IP is blocked Help	4	511	September 3, 2022
I think my Server IP is blocked or something Help	11	535	September 15, 2023
I think my IP Address is blocked Help	11	723	January 12, 2023

Suspect IP is blocked?

connected via one of the IPs previously listed:

connected via 5G hotspot:

Related topics