Unable to access acmev02 from a specific ip address

My domain is: email.bidvest.cz

I ran this command: curl -ikL https://acme-v02.api.letsencrypt.org/directory

It produced this output: curl: (35) Network file descriptor is not connected

My web server is (include version): Icewarp 12.2.1.1 (mail server with integrated webmail)

The operating system my web server runs on is (include version): CentOS Linux release 7.7.1908 (Core)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Icewarp Remote Console

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A

I am unable to renew / issue a new certificate from a specific server ( ip address ):

curl http://whatismyip.akamai.com/
Returns:
89.24.108.86

nslookup acme-v02.api.letsencrypt.org
Returns:
Server: 10.10.1.1
Address: 10.10.1.1#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c

In the Icewarp log is only this:
Certification [00007F2FBA810700] 12:43:15 Registering Account
Certification [00007F2FBA810700] 12:43:15 >>> https://acme-v02.api.letsencrypt.org/directory

When i try traceroute from the server:
[root@mailsrv01 ~]# traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 gateway (10.10.1.1) 0.125 ms 0.118 ms 0.122 ms
2 * * *
3 89-239-20-1.addr.grepnet.cz (89.239.20.1) 8.633 ms 8.619 ms 8.591 ms
4 89.202.157.89 (89.202.157.89) 15.221 ms 15.211 ms 15.189 ms
5 cloudflare-gw.cr1-prg1.ip4.gtt.net (141.136.101.78) 13.784 ms 13.770 ms 13.748 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

So it does look like Cloudflare is blocking my connection somewhere on the way. Is it possbile, and if so, how do i resolve this issue?

Thanks for Your reply

David

1 Like

your dns resolver looks broken. class 10.0.0.0/8 is for private networks. (i am not used to nslookup)

1 Like

Hi @9peppe

that’s not a problem. That’s the local server, may be the router or a fritz box that works as local dns server.

That

is correct.

Hi @soptik

that must work. May be your MTU is too big. Reduce it from 1500 to 1300 or lower.

1 Like

Itchy fingers, I took it for the actual query answer :wink:

1 Like

Hi.
I lowered the MTU size to 1200, but it apears to behave the same way:

[root@mailsrv01 ~]# ifconfig team0
team0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1200
inet 10.10.1.6 netmask 255.255.255.0 broadcast 10.10.1.255
ether e4:43:4b:51:5a:20 txqueuelen 1000 (Ethernet)
RX packets 22974656 bytes 9872258256 (9.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20619979 bytes 23776207342 (22.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@mailsrv01 ~]# traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 gateway (10.10.1.1) 0.111 ms 0.123 ms 0.102 ms
2 * * *
3 89-239-20-1.addr.grepnet.cz (89.239.20.1) 77.050 ms 77.068 ms 77.048 ms
4 89.202.157.89 (89.202.157.89) 15.167 ms 15.257 ms 15.242 ms
5 cloudflare-gw.cr1-prg1.ip4.gtt.net (141.136.101.78) 21.253 ms 21.237 ms 21.218 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

1 Like

Just to add - the server is a physical server, with 10GBe network ports joined in LACP teams connected to Juniper 10GBe virtual chasis, it’s in a DMZ (hence the 10.10.1.0/24 network and 10.10.1.1 gw/dns).
I don’t have ANY other network related problems except this one with the certificate, server is a production mailserver and it works and serves users just fine :slight_smile:
I use commercial certificates on other domains on this server with Icewarp, no problems there too.

Thx

1 Like