kiltum
February 14, 2024, 6:09am
1
First, all works nice more that year before i got email "your certs about to expire". So it is not usual "open your 80 port and go away"
run certbot renew. got
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: blog.kiltum.tech
Type: connection
Detail: 37.9.13.22: Fetching http://blog.kiltum.tech/.well-known/acme-challenge/2CtbkNJzAVKSDAyS7BBx9BvsB98U8ka1wRrXORY0nUo: Timeout during connect (likely firewall problem)
BUT in nginx logs
18.191.119.204 - - [14/Feb/2024:08:51:31 +0300] "GET /.well-known/acme-challenge/2CtbkNJzAVKSDAyS7BBx9BvsB98U8ka1wRrXORY0nUo HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
35.160.217.177 - - [14/Feb/2024:08:51:31 +0300] "GET /.well-known/acme-challenge/2CtbkNJzAVKSDAyS7BBx9BvsB98U8ka1wRrXORY0nUo HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
So LE can reach my server and even got response.
What can be wrong?
You should be seeing at least three connections from Let's Encrypt, since they check from multiple locations to confirm that you actually own the name. You must have some firewall or routing issue blocking at least one of them. Maybe something geographic based, or a blocklist that somehow has some of the validation IPs on it.
3 Likes
kiltum
February 14, 2024, 6:20am
3
Very interesting. Never looks at logs before that. So now i have a simple question: how i can find 3rd ip for investigating, whats wrong with my|other routing...
Osiris
February 14, 2024, 7:06am
4
Those 2 IP addresses are both from AWS, the secondary validation points. The primary validation point, based in the US, is missing.
Looks like your IP address 37.9.13.22 is based in Russia. Maybe you're doing some geo-blocking and block the US?
3 Likes
kiltum
February 14, 2024, 7:53am
5
Maybe. But for prove i must know ip ... From my US servers i can reach RU servers without any problem.
The primary validators are currently using the ipv4 address block https://bgp.tools/prefix/23.178.112.0/24
See also 23.178.112.0/24 - bgp.tools
Note that this isn’t static and may change in the future with no notice.
5 Likes
kiltum
February 14, 2024, 9:29am
7
Thanks! Yes, it was routing issue. Fixed for my case
3 Likes
system
March 15, 2024, 9:29am
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.