Unable to connect to acme-v01.api.letsencrypt.org


#1

I trie to update my certificate I can reach any url n 443/https on my debian 8 server .

I check iptables :

Chain INPUT (policy DROP)
target     prot opt source               destination         
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:40000:40100
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10000

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 1/sec burst 5
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:123
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3306

Chain SPOOFED (0 references)
target     prot opt source               destination         
DROP       all  --  127.0.0.0/8          0.0.0.0/0           
DROP       all  --  169.240.0.0/12       0.0.0.0/0           
DROP       all  --  172.16.0.0/12        0.0.0.0/0           
DROP       all  --  192.168.0.0/16       0.0.0.0/0           
DROP       all  --  10.0.0.0/8           0.0.0.0/0           

Chain f2b-sshd (1 references)
target     prot opt source               destination 

And obtain this error:

produced an unexpected error: HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7feea2b06850>, ‘Connection to acme-v01.api.letsencrypt.org timed out. (connect timeout=45)’)). Skipping.

I don’t understand


#2
traceroute acme-v01.api.letsencrypt.org
curl -v --connect-timeout 10 -H "Pragma: akamai-x-cache-on, akamai-x-get-cache-key, akamai-x-get-true-cache-key, akamai-x-get-request-id, akamai-x--meta-trace, akama-xi-get-extracted-values, akamai-x-get-extracted-values, akamai-x-get-nonces, akamai-x-get-ssl-client-session-id, akamai-x-cache-remote-on, akamai-x-get-client-ip" https://acme-v01.api.letsencrypt.org/directory

#3

Maybe I am interpreting your rules wrong, but it seems like your default outbound policy is to drop traffic, and you don’t have tcp dpt:443 permitted.

Can you fetch other sites on tcp/443?

curl -I https://google.com

#4

return traceroute:

traceroute to acme-v01.api.letsencrypt.org (23.206.25.158), 30 hops max, 60 byte packets
send: Operation not permitted

return curl

xtracted-values, akamai-x-get-extracted-values, akamai-x-get-nonces, akamai-x-get-ssl-client-session-id, akamai-x-cache-remote-on, akamai-x-get-client-ip" https://acme-v01.api.letsencrypt.org/directory

  • Trying 23.206.25.158…
  • TCP_NODELAY set
  • Trying 2a02:26f0:2d:18b::3d5…
  • TCP_NODELAY set
  • After 4998ms connect time, move on!
  • connect to 23.206.25.158 port 443 failed: Connection timed out
  • After 2395ms connect time, move on!
  • connect to 2a02:26f0:2d:18b::3d5 port 443 failed: Connection timed out
  • Trying 2a02:26f0:2d:19a::3d5…
  • TCP_NODELAY set
  • After 2395ms connect time, move on!
  • connect to 2a02:26f0:2d:19a::3d5 port 443 failed: Connection timed out
  • Failed to connect to acme-v01.api.letsencrypt.org port 443: Connection timed out
  • Closing connection 0
    curl: (7) Failed to connect to acme-v01.api.letsencrypt.org port 443: Connection timed out

for

curl -I https://google.com
is :
timed out to. how to enable 443 ?


#5

How did you setup your current iptables rules? You can fix it the same way.

You need to add a rule for tcp/443 to be permitted in your OUTPUT chain.


#6

yeah, but how ?
It’s the first time to use iptables


#7

¯\(ツ)/¯ if you don’t know how the current rules came into existence (they’re certainly not default) then it’s impossible to say how to change them in a safe and persistent way.

Try find where the rules file is on your server:

sudo find /etc -name "*iptables*"

#8

I found this :

/etc/iptables.up.rules
/etc/fail2ban/action.d/iptables-common.conf
/etc/fail2ban/action.d/iptables-multiport.conf
/etc/fail2ban/action.d/iptables.conf
/etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf
/etc/fail2ban/action.d/iptables-blocktype.conf
/etc/fail2ban/action.d/iptables-new.conf
/etc/fail2ban/action.d/iptables-xt_recent-echo.conf
/etc/fail2ban/action.d/iptables-ipset-proto6.conf
/etc/fail2ban/action.d/iptables-multiport-log.conf
/etc/fail2ban/action.d/iptables-ipset-proto4.conf
/etc/fail2ban/action.d/iptables-allports.conf


#9

That’s probably the file you would need to add a new ACCEPT rules in the OUTPUT chain to include port 443, and then reload iptables.

I am hesitant to give you advice for fear of breaking your current setup. Did somebody else do the setup?

You can (low risk) temporarily add a rule to allow outbound tcp/443 with:

sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

but it would disappear at reboot.


#10

thanks,
it’s perfect solution for me :wink: is not to bad, if the rule was destroyed at reboot :slight_smile:
My certificat is upgraded !


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.