Unban ip can’t renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: orenadvocat.ru

I ran this command: certbot certonly —nginx -d orenadvocat.ru

It produced this output: ERROR:certbot._internal.log:requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)

My web server is (include version): nginx version: openresty/1.25.3.1

The operating system my web server runs on is (include version): ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.30.0

Hi @orlovnv, and welcome to the LE community forum

Please show the outputs of:

traceroute -T -p 443 www.google.com
traceroute -T -p 443 acme-v02.api.letsencrypt.org

root@npm:~# traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 192.168.2.1 (192.168.2.1) 0.185 ms 0.156 ms 0.166 ms
2 92.62.149.1 (92.62.149.1) 1.808 ms 1.871 ms 1.739 ms
3 92.62.144.74 (92.62.144.74) 1.690 ms 1.657 ms 1.623 ms
4 obg01.transtelecom.net (217.150.61.162) 2.739 ms 2.599 ms 2.470 ms
5 * * *
6 Cloudflare-msk-gw.transtelecom.net (188.43.3.65) 22.493 ms 23.068 ms 22.939 ms
7 172.68.8.53 (172.68.8.53) 22.325 ms 22.094 ms 21.976 ms
8 172.65.32.248 (172.65.32.248) 21.368 ms 21.335 ms 21.365 ms
root@npm:~#

t@npm:~# traceroute -T -p 443 www.google.com
traceroute to www.google.com (216.58.210.132), 30 hops max, 60 byte packets
1 192.168.2.1 (192.168.2.1) 0.512 ms 0.500 ms 0.482 ms
2 92.62.149.1 (92.62.149.1) 1.828 ms 1.806 ms 1.725 ms
3 92.62.144.74 (92.62.144.74) 1.748 ms 1.742 ms 1.711 ms
4 obg01.transtelecom.net (217.150.61.162) 2.513 ms 2.311 ms 2.402 ms
5 * * *
6 Google-gw.transtelecom.net (188.43.3.141) 24.063 ms 23.616 ms 23.579 ms
7 192.178.241.59 (192.178.241.59) 24.248 ms 192.178.241.171 (192.178.241.171) 411.822 ms *
8 192.178.241.70 (192.178.241.70) 24.063 ms 192.178.241.66 (192.178.241.66) 21.771 ms 21.583 ms
9 172.253.66.116 (172.253.66.116) 41.161 ms 142.251.237.154 (142.251.237.154) 36.810 ms 172.253.66.116 (172.253.66.116) 41.198 ms
10 142.250.63.8 (142.250.63.8) 48.342 ms 142.251.237.140 (142.251.237.140) 40.603 ms 40.558 ms
11 192.178.105.7 (192.178.105.7) 39.982 ms 192.178.105.9 (192.178.105.9) 41.500 ms 41.861 ms
12 142.250.229.89 (142.250.229.89) 40.018 ms 142.250.229.87 (142.250.229.87) 41.963 ms 39.313 ms
13 mad06s09-in-f132.1e100.net (216.58.210.132) 44.144 ms 38.345 ms 43.918 ms

Those look normal. What does below show? Note there are no currently active IP bans so that is not the problem

curl -v https://acme-v02.api.letsencrypt.org/directory

Hopefully that curl had more output than just that. What about repeating it without -v to shorten output. Did that get a reply from an nginx server?

Did you run traceroute and the curl from the same device you ran Certbot on?

process doesn't finish it hang on this root@proxy:~# curl -v https://acme-v02.api.letsencrypt.org/directory

• Trying 172.65.32.248:443...
• Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
• ALPN: offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs

if I do the same from another ip 92.62.149.129 it do it till the end

That is some kind of routing problem. When LE had IP blocks your connection would be immediately dropped. Not hung.

Did you run that curl the same way as the traceroute? Because the output format looked different

What else is different between the machine that worked and the one that fails? There must be something more than just the public IP.

I do tests on vm when vm connected to local network and receive ip from dhcp command doesn't finish (nat ports 80,443). when I set ip 92.62.149.129 so vm doesn't connected to lan al is good

traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 192.168.2.1 (192.168.2.1) 0.417 ms 24.833 ms *
2 * * 92.62.149.1 (92.62.149.1) 2.085 ms
3 92.62.144.74 (92.62.144.74) 2.051 ms * 1.993 ms
4 obg01.transtelecom.net (217.150.61.162) 2.743 ms * *
5 * * *
6 Cloudflare-msk-gw.transtelecom.net (188.43.3.65) 22.682 ms * *
7 * * 172.68.8.49 (172.68.8.49) 22.029 ms
8 172.65.32.248 (172.65.32.248) 19.961 ms * *
root@nginx:~# curl -v https://acme-v02.api.letsencrypt.org/directory

• Host acme-v02.api.letsencrypt.org:443 was resolved.
• IPv6: 2606:4700:60:0:f53d:5624:85c7:3a2c
• IPv4: 172.65.32.248
• Trying 172.65.32.248:443...
• Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443
• ALPN: curl offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs

I don't think so, because this vm work 5 month and nobody touch routing and now it stop without any reason

Ok but I don't have any other good explanation. You may be surprised to know how many times we hear "nothing changed" when something actually has changed. (many )

What do these show?

curl https://cloudflare.com/cdn-cgi/trace

curl -v --connect-to ::172.253.115.139:443 https://dv.acme-v02.api.pki.goog/directory

curl https://cloudflare.com/cdn-cgi/trace
fl=404f5
h=cloudflare.com
ip=92.62.149.126
ts=1730519753.854
visit_scheme=https
uag=curl/7.88.1
colo=DME
sliver=none
http=http/2
loc=RU
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
rbi=off
kex=X25519

curl -v --connect-to ::172.253.115.139:443 https://dv.acme-v02.api.pki.goog/directory
* Connecting to hostname: 172.253.115.139
* Connecting to port: 443
*   Trying 172.253.115.139:443...
* Connected to (nil) (172.253.115.139) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=api.pki.goog
*  start date: Oct  7 08:29:16 2024 GMT
*  expire date: Dec 30 08:29:15 2024 GMT
*  subjectAltName: host "dv.acme-v02.api.pki.goog" matched cert's "dv.acme-v02.api.pki.goog"
*  issuer: C=US; O=Google Trust Services; CN=WR2
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /directory]
* h2h3 [:scheme: https]
* h2h3 [:authority: dv.acme-v02.api.pki.goog]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5558128e1ce0)
> GET /directory HTTP/2
> Host: dv.acme-v02.api.pki.goog
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
< replay-nonce: AEQAAAAKQgoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhQKDAjYxZa5BhCh3o_-AhDqp-WLAgAPkAjENQIXTvwRSWBin6vgLjvpkgiI44g
< content-type: application/json
< content-security-policy-report-only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/sytrfdec:153:0
< cross-origin-opener-policy-report-only: same-origin; report-to=coop_reporting
< report-to: {"group":"coop_reporting","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/sytrfdec:153:0"}],}
< date: Sat, 02 Nov 2024 03:56:08 GMT
< server: scaffolding on HTTPServer2
< cache-control: private
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< accept-ranges: none
< vary: Accept-Encoding
< 
* Connection #0 to host (nil) left intact
{"newNonce":"https://dv.acme-v02.api.pki.goog/new-nonce","newAccount":"https://dv.acme-v02.api.pki.goog/new-account","newOrder":"https://dv.acme-v02.api.pki.goog/new-order","newAuthz":"https://dv.acme-v02.api.pki.goog/new-authz","revokeCert":"https://dv.acme-v02.api.pki.goog/revoke-cert","keyChange":"https://dv.acme-v02.api.pki.goog/key-change","renewalInfo":"https://dv.acme-v02.api.pki.goog/renewal-info","meta":{"termsOfService":"https://pki.goog/GTS-SA.pdf","website":"https://pki.goog","caaIdentities":["pki.goog"],"externalAccountRequired":true}}

is any idea?

I don't have any new ideas. An unusual comms problem.

You can reach Google CA API so you could try getting a cert from them. That requires EAB setup with Google before-hand.

Or, if this curl works you could get a cert from BuyPass. They do not require EAB setup

curl https://api.buypass.com/acme/directory

You will need to use the Certbot register command once to setup the BuyPass account. Then add this to your Certbot command to use them

--server https://api.buypass.com/acme/directory

curl -v https://api.buypass.com/acme/directory

• Trying 185.62.162.162...
• TCP_NODELAY set
• Trying 2a03:522:1111:162::162...
• TCP_NODELAY set
• Immediate connect fail for 2a03:522:1111:162::162: Network is unreachable
• Trying 2a03:522:1111:162::162...
• TCP_NODELAY set
• Immediate connect fail for 2a03:522:1111:162::162: Network is unreachable
• Trying 2a03:522:1111:162::162...
• TCP_NODELAY set
• Immediate connect fail for 2a03:522:1111:162::162: Network is unreachable

why it works from another my ip ? I can't understand only if ip banned