Connectivity problem with Let's Encrypt servers

Hello Team,
Actually we are facing some problems with the connectivity of one of our servers Plesk wich has Let’s Encrypt as an SSL certificate offered to our clients.

The problem is, we can’t reach the repository of Let’s Encrypt ( 172.65.32.248 // acme-v02.api.letsencrypt ) to get the SSL certificate, and the last destination that blocks traffic is the Cloudflare IP address 195.22.198.13

So can anyone halp me to resolve this problem.
Thank you.

Is this the full domain name? It’s not resolving at all for me (.letsencrypt isn’t a valid TLD)

Please add .com, i can’t write the all URL in comment, i don’t know why

Even with .com added (so acme-v02.api.letsencrypt.com) I get unknown host… perhaps that API endpoint has been deprecated or otherwise removed?

Should be valid. They list it here:

And that directory loads for me.

Ah….org, yes…small details that are easy to overlook.

Sorry, it’s .org

1 Like

Hmm… interesting. IPv6 only maybe? I’m currently only on v4.

Or perhaps there’s something else wrong with my network.

EDIT: Yeah, I can ping .org just fine

IN my case, i can’t even ping let’s encrypt and the ip 172.65.32.248 from my server, this why i can’t get SSL certificate

The only thing I can think of here is that your IP address has been associated with malicious activity (i.e. a botnet) or otherwise had it’s reputation affected, causing Cloudflare to block requests from it.

Can you enter your IP address here and see if anything comes up? Inspect an IP | Project Honey Pot

My ip is 197.140.11.3, and it has a good reputation, you can check on your side

Have you tried a traceroute?

Yes i tried traceroote and it’s bloc on Cloudflare IP 195.22.198.13, you can see the screenshot of the test.

This looks like a low-level, networking block, i.e. it’s not serving a 403 page or a Managed Challenge but blocking at the network level.

It might be related to your ISP? Are you by chance in Austria? There was some issues with connecting to Cloudflare IP addresses going on there.

We are an ISP provider ( ICOSNET SPA ) in Algeria, and our network team didn’t find anything that blocks the connexion with let’s encrypt.

The outbound trafic from my server 197.140.11.3 reach the ip of let’s encrypt 172.65.32.248, but there’s no inbound trafic from let’s encrypt to my server.
We check this point in our firewall.
So, i guess that Cloudflare block the connexion to our server.
Can you help with that.

acme-v02.api.letsencrypt.org works only with HTTPS. Also, the ACME endpoint is https://acme-v02.api.letsencrypt.org/directory.

Is it proxied :orange: hostname or unproxied :grey: ?

Issue is that Plesk’s Let’s Encrypt requires the access to the DNS of the particular website of your client to replace the LE TXT record to renew the SSL certificate at the end.

Since the domain is on Cloudflare and using a proxied :orange: hostname, it cannot get to it and then it disconnects/timeout.

I am not aware if there is some Cloudflare API + Plesk combination, or app, or a bash script, which could do the “behind the scenes” thing for you.
True, there was Cloudflare thing for Plesk, but it’s being deprecated for a long time already, not working and unsupported as I remember.

Could you manually add those records from LE into the DNS tab of CF dashboard for particular client domain? If so, then until some solution comes up, each time it expires change it manually. Otherwise, switch the zone back to the Plesk and it would work automatically.

Otherwise, use Cloudflare Origin CA certificate.

Furthermore, LE renews each 3 months (or so), meaning each time a value in a TXT record is a bit different → would require manually adding/changing it over a domain using Cloudflare.

You could try by adding a NS record _acme-challenge.domain.com, however you’d have to figure out how to remove the existing TXT _acme-challenge from Cloudflare → or rather to say, unfortunately you cannot remove it because it’s being used to renew/re-issue the Universal SSL at Cloudflare (if the LE is the issuer alongside with Digicert or newest Google Trust Services).

Another way to go might be to either Pause Cloudflare, then do the needed steps, un-pause (or switch from :orange: to :grey: and vice-versa upon success), maybe even with disabling the Always Use HTTPS feature.
Possibly the safest way to use webroot? :thinking:

Maybe a bit helpful:

I am writing from my experience, could be I am wrong about it or wrongly understood your case/issue.

Hello Fritex,
Thank’s for your reply, our problem is all the domains hosted on plesk can’t reach th LE repository.
We find out that there’s no response from LE ip 172.65.32.248 to our server ( check on our firewall ).
The zones DNS of our clients are hosted on this Plesk server not on Cloudflare servers.

You mentionned a TXT record, could you please be more specific about it and share with me this record, i could like to add it on a domain and test the connectivity.

Regards.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.