Unable to connect to acme-v01.api.letsencrypt.org from 46.252.148.0/24

Hi,
I’m working for an hosting provider and we noticed that out class 46.252.148.0/24 can’t connect to letsencrypt server (acme-v01.api.letsencrypt.org 23.45.101.142).
We already checked with our connectivity provider and they confirm that the packets are dropped letsencrypt side (an hop before acme-v01.api.letsencrypt.org).
We are also quite sure doesn’t done anything to deserve a block.

Asked on IRC and they suggested to open a post here to check it with Akamai’s CDN.
Full traceroute https://pastebin.com/YWqXxmUX

Thanks for support

1 Like

Hi @tsumi,

Thanks, I’ve flagged our operations team to investigate & respond on-thread.

2 Likes

Thanks :slight_smile:
If you need more test/traceroute/etc please ask.

1 Like

Using a diagnostic tools provided by our CDN I was able to attempt an MTR from the Akamai edge 23.45.101.142 to an ip in your /24. It was unsuccessful and failed a few hops after it started. I have opened a ticket with the CDN to confirm the results and look for a solution. I will reply here if there are any questions from their networking team.

3 Likes

First, I’d like to confirm that since your /24 cannot make it to the letsencrypt server, you have not seen any reference errors returned at acme-v01.api.letsencrypt.org. I’d also like you to test some more of your /24 to confirm the scope of this connectivity issue.

Next, I would like you to run curl -I https://acme-v01.api.letsencrypt.org -H "Pragma: akamai-x-cache-on, akamai-x-get-cache-key, akamai-x-get-true-cache-key, akamai-x-get-request-id" from a few vantage points and provide the result here.

Once I have that information I can coordinate furhter with our CDN on a resolution.

1 Like

Hi,
tried from some ip and the issue looks jeopardized.
Also tried from some server in other IP classes and found a couple of blocked IPs
In the pastebin you can find:

  • 2 test on 46.252.148.0/24, one failed, one ok
  • 2 failed test on IPs from another classes

https://pastebin.com/DKsY0Xm3

Thanks for providing more results and running those commands. Our CDN has has confirmed that the failed requests were not blocked by Akamai and in fact never reached Akamai.

those failed requests had a ping result of acme-v01.api.letsencrypt.org resolving to an Akamai IP 23.45.101.142. However, the curl results indicated failure to reach 2a02:26f0:ad:289::3d5

This looks to be a problem with your network provider and I suggest consulting with them to get it resolved.

Also, a general network debugging tip I suggest is to check your ipv6 configuration. It’s interesting that your ping resolved to an ipv4 address but your curl attempted to connect over ipv6.

2 Likes

Hi

our Network Carrier send to us these 2 traceroutes

https://pastebin.com/M6rhwX7N

the Hops are the same, but when they “customize” the source with 46.252.148.1 they are unable to arrive to 23.45.101.142

For my Network Carrier seems that our IPs are filtred by you (or your CDN ) and we do not have any evidence to prove the opposite, so i must assume that it is true.

Now, what can we do to solve this issue? Can you double check your system and with CDN for any block? Any other idea?

Thanks for support

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.