Hello!
I encountered a problem that it is impossible to get Let's Encrypt certificates on one of the servers due to an error:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/131625315396.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: During secondary validation: 31.31.198.201: Fetching http://shtakesnyjbogperla.ru/.well-known/acme-challenge/Invd7Ycd4XrlhiU3caNz1yidfKHpIfhpW1SKg5k992E: Timeout during connect (likely firewall problem)
The specified domain is located on server spl89.hosting.reg.ru. Server running CentOS 7, Plesk Obsidian panel.
I checked the server and domain address via https://letsdebug.net/ and got these errors:
There are no blocks in the firewall, server available from other countries:
https://ping-admin.com/free_test/result/16581280137ty1x89casi868zo3hwri.html
When checking another server, the problem is not observed:
I compared requests that come to the servers and found that requests from the server in Linode do not reach spl89.hosting.reg.ru:
172.104.24.29 - - [18/Jul/2022:10:11:32 +0300] spl90.hosting.reg.ru GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1 404 64721 "-" "Mozilla/5.0 (compatible; Let's Debug emulating Let's Encrypt validation server; +https://letsdebug.net)" "-" 0.131-0.009
172.104.24.29 - - [18/Jul/2022:10:11:32 +0300] spl90.hosting.reg.ru GET / HTTP/1.1 200 64153 "-" "Go-http-client/1.1" "-" 0.130-0.008
66.133.109.36 - - [18/Jul/2022:10:11:33 +0300] spl90.hosting.reg.ru GET /.well-known/acme-challenge/g-nRu0uab7ZWa07THcE33CpuxAy3oggUg8DCihVQoMo HTTP/1.1 404 45491 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" 0.183-0.010
66.133.109.36 - - [18/Jul/2022:10:10:43 +0300] spl89.hosting.reg.ru GET /.well-known/acme-challenge/zCAgrg64HUQwp1afJBLYudfn0D0iXmv2i-TuyHxuE38 HTTP/1.1 404 45491 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" 0.189-0.011
Yesterday logs:
172.104.24.29 - - [17/Jul/2022:20:54:31 +0300] spl90.hosting.reg.ru GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1 404 64721 "-" "Mozilla/5.0 (compatible; Let's Debug emulating Let's Encrypt validation server; +https://letsdebug.net)" "-" 0.137-0.012
52.28.77.66 - - [17/Jul/2022:20:54:32 +0300] spl90.hosting.reg.ru GET /.well-known/acme-challenge/CiXg786K2zTvDvcWA33GHExfam-Odk7aHPPURkIxNMQ HTTP/1.1 404 44103 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" 0.058-0.009
172.104.24.29 - - [17/Jul/2022:20:54:32 +0300] spl90.hosting.reg.ru GET / HTTP/1.1 200 64153 "-" "Go-http-client/1.1" "-" 0.127-0.008
66.133.109.36 - - [17/Jul/2022:20:54:32 +0300] spl90.hosting.reg.ru GET /.well-known/acme-challenge/CiXg786K2zTvDvcWA33GHExfam-Odk7aHPPURkIxNMQ HTTP/1.1 404 45491 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" 0.177-0.008
52.28.77.66 - - [17/Jul/2022:20:53:45 +0300] spl89.hosting.reg.ru GET /.well-known/acme-challenge/mKNdhLna5zkjIkkAESka_Uor2K0EwH_Z-OZvNWaywjY HTTP/1.1 404 44103 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" 0.062-0.010
66.133.109.36 - - [17/Jul/2022:20:53:45 +0300] spl89.hosting.reg.ru GET /.well-known/acme-challenge/mKNdhLna5zkjIkkAESka_Uor2K0EwH_Z-OZvNWaywjY HTTP/1.1 404 45491 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" 0.171-0.007
➜ ~ whois 172.104.24.29 | grep NetName
NetName: LINODE-US
According to mtr result, the problem should be on the side of the letsencrypt/letsdebug server located in Linode, or on the side of Linode infrsatructure:
mtr from spl90.hosting.reg.ru:
My traceroute [v0.85]
spl90.hosting.reg.ru (0.0.0.0) Mon Jul 18 10:35:08 2022
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. kiae-r1.hosting.reg.ru (31.31.194.4) 0.0% 274 0.9 1.8 0.2 60.8 7.0
2. ???
3. ???
4. 198.18.9.152 0.0% 274 0.7 1.0 0.6 15.7 1.7
5. 10.1.92.1 0.0% 274 1.3 1.4 0.7 13.7 1.7
6. mow-b4-link.ip.twelve99.net (213.248.96.104) 0.0% 274 2.1 1.5 0.7 28.3 3.0
7. mow-b1-link.ip.twelve99.net (62.115.142.176) 0.0% 274 2.2 2.3 1.6 8.8 1.0
8. s-bb2-link.ip.twelve99.net (62.115.141.22) 0.0% 274 19.6 19.8 19.6 20.4 0.0
9. kbn-bb2-link.ip.twelve99.net (62.115.139.173) 0.4% 274 105.6 66.5 43.1 677.5 80.2
10. nyk-bb2-link.ip.twelve99.net (80.91.254.91) 2.2% 274 123.1 122.2 118.7 135.2 1.8
11. nyk-b15-link.ip.twelve99.net (62.115.113.71) 0.0% 274 120.7 121.1 120.3 123.5 1.1
12. linode-ic342729-nyk-b2.ip.twelve99-cust.net (62.115.172.131) 0.0% 274 117.1 117.9 117.0 147.3 3.5
13. ???
14. ???
15. ???
16. letsdebug.net (172.104.24.29) 0.0% 274 113.2 112.6 110.3 113.9 1.0
mtr from spl89.hosting.reg.ru
My traceroute [v0.85]
spl89.hosting.reg.ru (0.0.0.0) Mon Jul 18 10:34:27 2022
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. kiae-r1.hosting.reg.ru (31.31.194.4) 0.0% 225 0.3 2.4 0.2 70.8 8.7
2. ???
3. ???
4. 198.18.9.152 0.4% 225 2.0 2.4 1.2 24.6 2.3
5. 10.1.92.1 0.0% 225 1.6 2.3 1.3 17.9 1.7
6. mow-b4-link.ip.twelve99.net (213.248.96.104) 0.0% 225 2.0 2.5 1.4 17.9 1.9
7. mow-b1-link.ip.twelve99.net (62.115.142.176) 0.0% 225 3.0 3.6 2.3 13.4 1.4
8. s-bb2-link.ip.twelve99.net (62.115.141.22) 0.0% 225 21.0 20.9 20.3 21.9 0.1
9. kbn-bb2-link.ip.twelve99.net (62.115.139.173) 0.0% 225 47.9 67.4 44.8 676.5 84.3
10. nyk-bb2-link.ip.twelve99.net (80.91.254.91) 6.7% 225 114.8 117.5 114.8 119.5 0.9
11. nyk-b15-link.ip.twelve99.net (62.115.113.71) 0.0% 225 114.7 117.2 114.3 118.8 0.9
12. linode-ic342729-nyk-b2.ip.twelve99-cust.net (62.115.172.131) 0.0% 225 115.0 116.1 114.9 151.4 3.9
13. ???
Can someone from Let's Encrypt team check if ip 31.31.198.201 blocked on Let's Encrypt servers or it is Linode's problem?