Timeout to acme-v02.api.letsencrypt.org [Cloudflare networks]

hello
when i ping below address it show timeot, what is reason?

[root@host ~]# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
848 packets transmitted, 0 received, 100% packet loss, time 847005ms

[root@host ~]#

and trace

[root@host ~]# traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 100.89.62.1 (100.89.62.1) 0.292 ms 0.283 ms 0.294 ms
2 core23.fsn1.hetzner.com (213.239.229.9) 0.391 ms core24.fsn1.hetzner.com (213.239.229.13) 8.704 ms core23.fsn1.hetzner.com (213.239.229.9) 0.378 ms
3 core1.fra.hetzner.com (213.239.224.86) 4.794 ms core0.fra.hetzner.com (213.239.224.66) 4.830 ms core4.fra.hetzner.com (213.239.224.90) 4.826 ms
4 core9.fra.hetzner.com (213.239.224.178) 5.165 ms core8.fra.hetzner.com (213.239.224.217) 5.129 ms core9.fra.hetzner.com (213.239.224.221) 5.088 ms
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
[root@host ~]#

Can you ping anything like?

ping cloudflare.com

And, what does this do

sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
2 Likes

honestly i cant ping cloudflare.com too, but i can ping all other sites like google and yahoo etc.

below is result:

[root@host ~]# sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 100.89.62.1 (100.89.62.1) 0.284 ms 0.272 ms 0.428 ms
2 core24.fsn1.hetzner.com (213.239.229.13) 0.602 ms core23.fsn1.hetzner.com ( 213.239.229.9) 3.199 ms core24.fsn1.hetzner.com (213.239.229.13) 0.593 ms
3 core0.fra.hetzner.com (213.239.224.82) 4.813 ms core1.fra.hetzner.com (213. 239.224.86) 4.818 ms core5.fra.hetzner.com (213.239.224.78) 4.867 ms
4 core9.fra.hetzner.com (213.239.224.174) 5.049 ms core9.fra.hetzner.com (213 .239.224.221) 5.092 ms 5.039 ms
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
[root@host ~]#

Coincidently, "acme-v02.api.letsencrypt.org" is also on a Cloudflare network.
Maybe there is some break to the Cloudflare networks from your network.

3 Likes

Do you have a real IPv4 IP?
That looks very much like a CGNAT IP.

EDIT:
Per RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space (rfc-editor.org)
"The Shared Address Space address range is 100.64.0.0/10."

Which equals the IP range:
100.64.0.0 to 10.127.255.255

4 Likes

my server ip address is: 148.251.88.26

[root@host ~]# curl http://www.cloudflare.com/
curl: (7) Failed connect to www.cloudflare.com:80; Operation now in progress
[root@host ~]#

You should contact Hetzner and ask them why you cannot ping Cloudflare or the Lets Encrypt API

From the trace route it looks like they are your hosting service. Right?

4 Likes

If you can't communicate with Cloudflare then roughly 20% of the internet won't work for you, so it's a big deal.

3 Likes

hetzner says there is no issue from our side and cloudflare says its not issue at our side too
i not understand where is issue so

i guess maybe cloudflare banned our server ip at their side
why letsencrypt cant make direct link without cloudflare network?

1 Like

A high quality global CDN (like Cloudflare, Amazon's CloudFront, and others) provide many benefits. Let's Encrypt supports a high-volume of transactions world-wide and using one avoids having to re-create a vast world-wide infrastructure.

It looks clear to me there is a comms routing problem and most likely in Hetzner or the comms infrastructure that they use.

You can't even connect to Cloudflare's website. You should press this issue with Hetzner.

3 Likes
3 Likes

That is highly unlikely and the inability to ping cloudflare.com would not be a relevant indicator of that, even if it were the case.

5 Likes

Apparently your IP is blacklisted by one spam list, could be relevant

https://whatismyipaddress.com/blacklist-check

Easiest to get a new IP or use a different CA (ZeroSSL etc).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.