Unblock IP address

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mercurycolleges.nsw.edu.au

I ran this command: traceroute acme-v02.api.letsencrypt.org

It produced this output:
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *

openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

My web server is (include version):
PLESK Version 18.0.46

The operating system my web server runs on is (include version):
CloudLinux 3.10.0-962.3.2.lve1.5.60.el7.x86_64

My hosting provider, if applicable, is: CG

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): PLESK

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Welcome @CGC

Why do you think your IP is blocked?

Can you show result of this?

curl -I https://acme-v02.api.letsencrypt.org/directory
3 Likes

Traceroute Limitations Explained and Wikipedia's traceroute - Wikipedia
And from the man pages the history traceroute(8) - OpenBSD manual pages and traceroute
And FreeBSD's current man page traceroute

1 Like

Also note I cannot traceroute to mercurycolleges.nsw.edu.au
yet wget https://www.mercurycolleges.nsw.edu.au/ has no problem.

e6430-i5$ traceroute mercurycolleges.nsw.edu.au
traceroute to mercurycolleges.nsw.edu.au (91.239.243.28), 64 hops max, 40 byte packets
 1  EdgeRouter-4 (192.168.1.1)  0.462 ms  0.336 ms  0.308 ms
 2  96.120.60.137 (96.120.60.137)  8.797 ms  9.345 ms  8.651 ms
 3  68.87.217.41 (68.87.217.41)  8.437 ms  9.335 ms  8.187 ms
 4  96.216.60.245 (96.216.60.245)  10.088 ms  9.496 ms  11.888 ms
 5  68.85.243.197 (68.85.243.197)  15.375 ms  18.127 ms  14.116 ms
 6  be-36211-cs01.seattle.wa.ibone.comcast.net (68.86.93.49)  13.788 ms be-36231-cs03.seattle.wa.ibone.comcast.net (68.86.93.57)  13.703 ms be-36211-cs01.seattle.wa.ibone.comcast.net (68.86.93.49)  14.284 ms
 7  be-2113-pe13.seattle.wa.ibone.comcast.net (96.110.44.82)  21.764 ms be-2313-pe13.seattle.wa.ibone.comcast.net (96.110.44.90)  13.738 ms be-2113-pe13.seattle.wa.ibone.comcast.net (96.110.44.82)  16.596 ms
 8  ae-9.a02.sttlwa01.us.bb.gin.ntt.net (129.250.66.105)  20.331 ms  14.822 ms  13.863 ms
 9  ae-2.r25.sttlwa01.us.bb.gin.ntt.net (129.250.2.94)  26.226 ms  14.493 ms  15.338 ms
10  ae-3.r25.snjsca04.us.bb.gin.ntt.net (129.250.3.124)  28.214 ms * *
11  ae-45.r01.snjsca04.us.bb.gin.ntt.net (129.250.3.175)  28.74 ms  27.395 ms  28.779 ms
12  ce-0-17-0-0.r01.snjsca04.us.ce.gin.ntt.net (128.242.179.34)  27.279 ms  31.255 ms  29.529 ms
13  be6.core1.equinix-sy1.syd.aussiebb.net (180.150.2.109)  179.4 ms  176.48 ms  175.901 ms
14  be5.core1.vdc01.syd.aussiebb.net (180.150.1.156)  178.473 ms  178.259 ms  179.188 ms
15  be1.core2.vdc01.syd.aussiebb.net (180.150.0.157)  174.961 ms  178.155 ms  177.704 ms
16  be2.core2.nextdc-s1.syd.aussiebb.net (202.142.143.203)  180.989 ms  177.078 ms  177.866 ms
17  HundredGigE0-0-0-21.bng2.nextdc-s1.syd.aussiebb.net (202.142.143.167)  179.017 ms  177.46 ms  177.734 ms
64  * * *
e6430-i5$ wget https://www.mercurycolleges.nsw.edu.au/
--2022-08-23 08:17:26--  https://www.mercurycolleges.nsw.edu.au/
Resolving www.mercurycolleges.nsw.edu.au (www.mercurycolleges.nsw.edu.au)... 91.239.243.28
Connecting to www.mercurycolleges.nsw.edu.au (www.mercurycolleges.nsw.edu.au)|91.239.243.28|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

index.html                           [      <=>                                                  ] 146.29K  80.8KB/s    in 1.8s

2022-08-23 08:17:31 (80.8 KB/s) - 'index.html' saved [149801]

e6430-i5$
1 Like

That traceroute output looks like your school doesn't allow traceroute [at all].
[which isn't a requirement in obtaining a cert from LE]

What have you done to try to obtain a cert from LE?
Show us any of those failures/logs.

3 Likes

curl -I https://acme-v02.api.letsencrypt.org/directory
curl: (35) Network file descriptor is not connected

BUT if I curl any other sites they do work.
curl -I https://gmail.com
HTTP/1.1 301 Moved Permanently
Location: Gmail
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 226
X-XSS-Protection: 0
Date: Tue, 23 Aug 2022 21:13:58 GMT
Expires: Tue, 23 Aug 2022 21:43:58 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 1513
Alt-Svc: clear

Also on any other server (different IP)

curl -I https://acme-v02.api.letsencrypt.org/directory
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 23 Aug 2022 21:40:25 GMT
Content-Type: application/json
Content-Length: 672
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 0002rouY9HINPrZT1xYPhSvGW69tSK1v9bPm-0bP1y8Ioe0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

1 Like

Hi rg305, I will collect some logs soon, here is just a first one

plesk bin extension --exec letsencrypt cli.php -d mercurycolleges.nsw.edu.au -m support@mercurycolleges.nsw.edu.au
[2022-08-24 07:42:23.755] 549213:630549bfb77c2 ERR [extension/letsencrypt] The execution of cli.php has failed with the following message:
Could not obtain directory: cURL error 35: Network file descriptor is not connected (see libcurl - Error Codes)
The execution of cli.php has failed with the following message:
Could not obtain directory: cURL error 35: Network file descriptor is not connected (see libcurl - Error Codes)

exit status 1

That looks like a cert validation problem to me. What do these show?

curl --version
curl -Iv https://acme-v02.api.letsencrypt.org/directory
3 Likes

curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

curl -Iv https://acme-v02.api.letsencrypt.org/directory

  • About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
  • Trying 172.65.32.248...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • NSS error -5978 (PR_NOT_CONNECTED_ERROR)
  • Network file descriptor is not connected
  • Closing connection 0
    curl: (35) Network file descriptor is not connected

I don't know NSS well enough to advise further. But, that's not the kind of error we see with IP blocks.

Are you able to update curl? I've seen some reports of that version being more vulnerable to PR_NOT_CONNECTED errors.

3 Likes

Thank you Mike, I tried to update curl no new updates available, also OS is up to date. It's a strange issue

1 Like

I don't know. That curl version came out in 2013 if I read the history right. Or is this one of those distros where the version stays the same and security fixes get applied anyway?

We could look at your cert store. Please show result of this:

grep -Ei 'ISRG|DST|R3' /etc/pki/tls/certs/ca-bundle.crt | grep -e '#'
4 Likes

I think @MikeMcQ is on the right track with the cert store.

@CGC Can you also post the output of curl with 2 levels of verbosity?

curl -vv -I https://acme-v02.api.letsencrypt.org/directory
3 Likes
grep -Ei 'ISRG|DST|R3' /etc/pki/tls/certs/ca-bundle.crt | grep -e '#'
# GTS Root R3
# GlobalSign Root CA - R3
# ISRG Root X1
curl -vv -I https://acme-v02.api.letsencrypt.org/directory
* About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
*   Trying 172.65.32.248...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5978 (PR_NOT_CONNECTED_ERROR)
* Network file descriptor is not connected
* Closing connection 0
curl: (35) Network file descriptor is not connected
2 Likes

I think it's possible that your very old version of curl can not properly handle the TLS connection. You also have a very old OpenSSL. You're on the old 1.02 branch and patch k - they ultimately got up to patch v. IMHO, it's odd that it's running a fips version, but not the latest fips version.

In any event, there may be issues with your machine's ability to handle protocols and ciphers. That would explain why you can access some https sites but not others.

Looking at the curl changelog - there were a lot of improvements to tls1.1 and 1.2 in subsequent releases.

You could try the following, but I don't think your version of curl may support these flags:

curl --tlsv1.1 -tls-max 1.1 https://acme-staging-v02.api.letsencrypt.org/directory

curl --tlsv1.2 -tls-max 1.2 https://acme-staging-v02.api.letsencrypt.org/directory

I forgot to mention:

The reason why everyone here is focused on curl, is because what you shared earlier does not look like what happens when an ip address is blocked

3 Likes

Let's try connecting with something other than curl. Can you show result of this?

 echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head -10

EDIT:
I'm starting to think your IP may be blocked. Curious to see openssl result still. Is this the machine you have been using to regularly renew the certs for mercurycolleges.nsw.edu.au as seen here ?

4 Likes
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head -10
write:errno=104
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported


curl --tlsv1.1 -tls-max 1.1 https://acme-staging-v02.api.letsencrypt.org/directory
error code: 1003curl: (35) Network file descriptor is not connected


curl --tlsv1.2 -tls-max 1.2 https://acme-staging-v02.api.letsencrypt.org/directory
curl: (56) Recv failure: Connection reset by peer
curl: (35) Network file descriptor is not connected

Is the IP of your requesting machine as in DNS for mercurycolleges.nsw.edu.au

EDIT: @cgc I think it's likely you are blocked but please confirm the IP address to check. Thanks

3 Likes

Hi Mike, The IP is 91.239.243.28 thank you

2 Likes

@lestaff Will you please check if this IP is blocked.

3 Likes