Urn:acme:error:connection, and can't ping outbound servers

dequis · June 1, 2016, 4:37am

I had this error while trying to renew my certificate for dequis.org (69.85.92.224)

With certbot:

Failed authorization procedure. dequis.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://dequis.org/.well-known/acme-challenge/[...]

Or with letsencrypt.sh:

  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Could not connect to http://dequis.org/.well-known/acme-challenge/[...]
  },

Traceroute from my own server (69.85.92.224), looking glass: http://lg.dequis.org/

$ mtr -rw outbound1.letsencrypt.org
Start: Wed Jun  1 03:09:04 2016
HOST: myon                                 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- e3la03.hostigation.com                0.0%    10    0.0   0.0   0.0   0.1   0.0
  2.|-- hostg-quadra-gw.hostigation.com       0.0%    10    0.4   0.5   0.4   0.8   0.0
  3.|-- colo-lax13.as8100.net                 0.0%    10    0.4   0.4   0.3   0.4   0.0
  4.|-- 63-218-212-169.static.pccwglobal.net  0.0%    10    0.7   0.9   0.6   1.7   0.0
  5.|-- 63-218-41-142.static.pccwglobal.net   0.0%    10    8.3   8.3   8.0   8.9   0.0
  6.|-- 207.88.14.225.ptr.us.xo.net           0.0%    10   30.8  29.7  28.1  31.2   0.9
  7.|-- 216.156.16.8.ptr.us.xo.net            0.0%    10   27.6  31.7  27.5  54.1   9.1
  8.|-- ???                                  100.0    10    0.0   0.0   0.0   0.0   0.0

Same results as above from 69.85.84.2 (the primary IP of the physical node where my VPS is. Well, was. It just got moved today while trying find a way to solve this issue in a support ticket)

Traceroute from 206.253.165.3, same datacenter, using https://hostigation.com/LookingGlass/

HOST: command.hostigation.com                   Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. escapefromla.hostigation.com               0.0%    10    0.3   0.3   0.2   1.0   0.2
  2. hostg-quadra-gw.hostigation.com            0.0%    10    7.0   1.3   0.5   7.0   2.0
  3. colo-lax13.as8100.net                      0.0%    10    2.0   0.7   0.3   2.0   0.5
  4. las-b3-link.telia.net                      0.0%    10    1.2   0.7   0.5   1.2   0.2
  5. las-b21-link.telia.net                     0.0%    10   17.3   2.9   1.0  17.3   5.1
  6. ae8.edge1.LosAngeles.Level3.net            0.0%    10   13.3  11.5  11.1  13.3   0.7
  7. vl-5.car1.SaltLakeCity1.Level3.net         0.0%    10   24.4  24.3  24.2  24.8   0.2
  8. VIAWEST-INT.car1.SaltLakeCity1.Level3.net  0.0%    10   22.9  22.9  22.8  23.0   0.1
  9. teng-00-00-00-00.crrt02.slc04.viawest.net  0.0%    10   24.9  24.8  24.7  25.1   0.1
 10. teng-04-01-s2045.crrt01.slc07.viawest.net  0.0%    10   22.7  25.0  22.7  44.5   6.9
 11. 66.133.111.226                             0.0%    10   22.9  24.3  22.9  36.3   4.2
 12. outbound1.letsencrypt.org                  0.0%    10   22.7  22.9  22.7  24.4   0.5

Similar results with different routes with outbound2.

I was thinking this was an IP range ban (and many things point in that direction) but these routes don't look okay.

I tried looking for other looking glass instances in the middle.

This is http://lookingglass.pccwglobal.com/ with source LAX01. It seems to have everything except the last hop, more than mine. Maybe this one really is an "IP ban".

traceroute ip outbound1.letsencrypt.org
Tracing the route to outbound1.letsencrypt.org (66.133.109.36)
1 pos11-2.cr01.lax05.pccwbtn.net (63.218.72.37) [MPLS: Label 224 Exp 0] 12 msec 8 msec 8 msec
2 pos12-0.cr03.sjo01.pccwbtn.net (63.218.6.29) [MPLS: Label 581 Exp 0] 8 msec 8 msec 8 msec
3 63-218-6-253.static.pccwglobal.net (63.218.6.253) [MPLS: Label 16661 Exp 0] 12 msec 12 msec 12 msec
4 TenGE0-1-0-0.br04.sjo01.pccwbtn.net (63.218.178.6) 8 msec 8 msec 12 msec
5 63-218-41-142.static.pccwglobal.net (63.218.41.142) 8 msec 8 msec 8 msec
6 207.88.14.225.ptr.us.xo.net (207.88.14.225) [AS 2828] [MPLS: Label 18580 Exp 0] 28 msec 28 msec 28 msec
7 216.156.16.8.ptr.us.xo.net (216.156.16.8) [AS 2828] 24 msec 28 msec 24 msec
8 ip65-46-61-22.z61-46-65.customer.algx.net (65.46.61.22) [AS 2828] 28 msec 24 msec 24 msec
9 teng-04-02.crrt02.slc07.viawest.net (66.51.2.169) [AS 13649] 32 msec 24 msec 24 msec
10 66.133.111.230 [AS 13649] 28 msec 24 msec 28 msec
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
Query Complete

(I don't actually know a lot about routing btw. I found about the existence of this looking glass thing a couple of days ago, while debugging an unrelated ipv6 issue, and they seem fun.)

For now I've addressed the issue by temporarily enabling cloudflare to use it as a proxy when requesting certificates (and disabling it right afterwards, because I don't need a man in the middle most of the time), but in three months i'll have to do the same thing to renew my certificates manually, which is far from ideal. Unless this issue fixes itself magically.

dequis · June 7, 2016, 5:46am

A week later, outbound1 looks better, outbound2 still not reaching the other side.

$ mtr -rw outbound1.letsencrypt.org
Start: Tue Jun  7 05:42:42 2016
HOST: myon                                      Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- e3la03.hostigation.com                     0.0%    10    0.0   0.0   0.0   0.1   0.0
  2.|-- hostg-quadra-gw.hostigation.com            0.0%    10    0.4   2.1   0.4  16.6   5.1
  3.|-- colo-lax13.as8100.net                      0.0%    10    0.3   0.4   0.2   1.2   0.0
  4.|-- 63-218-212-169.static.pccwglobal.net       0.0%    10   11.7  39.9   0.7 169.5  63.9
  5.|-- 63-218-41-142.static.pccwglobal.net        0.0%    10    8.1   8.1   8.0   8.2   0.0
  6.|-- 207.88.14.225.ptr.us.xo.net                0.0%    10   31.3  29.4  27.6  31.4   1.1
  7.|-- 216.156.16.8.ptr.us.xo.net                 0.0%    10   27.6  27.6  27.5  27.9   0.0
  8.|-- ip65-46-61-22.z61-46-65.customer.algx.net  0.0%    10   27.6  28.2  27.5  32.8   1.6
  9.|-- teng-04-02.crrt02.slc07.viawest.net        0.0%    10   28.0  35.6  27.8  96.8  21.6
 10.|-- 66.133.111.222                             0.0%    10   27.9  36.4  27.9 112.6  26.8
 11.|-- outbound1.letsencrypt.org                  0.0%    10   27.6  27.6  27.6  27.7   0.0

$ mtr -rw outbound2.letsencrypt.org
Start: Tue Jun  7 05:43:02 2016
HOST: myon                                               Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- e3la03.hostigation.com                              0.0%    10    0.0   0.0   0.0   0.1   0.0
  2.|-- hostg-quadra-gw.hostigation.com                     0.0%    10    0.6   0.5   0.4   0.6   0.0
  3.|-- colo-lax13.as8100.net                               0.0%    10    0.3   0.4   0.3   0.5   0.0
  4.|-- te0-17-0-28.ccr41.lax04.atlas.cogentco.com          0.0%    10    0.7   1.0   0.7   2.1   0.3
  5.|-- be2964.ccr21.lax01.atlas.cogentco.com               0.0%    10    1.1   1.1   0.8   2.0   0.3
  6.|-- be2931.ccr21.phx02.atlas.cogentco.com               0.0%    10   12.1  12.3  12.1  12.5   0.0
  7.|-- be2929.ccr21.elp01.atlas.cogentco.com               0.0%    10   20.3  20.3  20.1  20.6   0.0
  8.|-- be2092.ccr22.den01.atlas.cogentco.com               0.0%    10   37.1  37.0  36.9  37.1   0.0
  9.|-- te0-0-2-3.rcr11.b006467-1.den01.atlas.cogentco.com  0.0%    10   37.1  37.2  37.1  37.4   0.0
 10.|-- 38.122.114.30                                       0.0%    10   36.6  36.7  36.6  37.0   0.0
 11.|-- ???                                                100.0    10    0.0   0.0   0.0   0.0   0.0

system · July 7, 2016, 5:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.