[BlueOnyx:26209] Re: LE stopped renewing
Colin Jack
colin at mainline.co.uk
Sat May 13 03:31:04 -05 2023
Thanks Chris,
> > I am using the following FQDN in the firewall rules:
> >
> > Letsencrypt_1 acme-v01.api.letsencrypt.org
> > Letsencrypt_2 acme-v02.api.letsencrypt.org
> > Letsencrypt_3 acme-staging.api.letsencrypt.org
> > Letsencrypt_4 acme-staging-v02.api.letsencrypt.org
> >
> > But even when I allow 'any source' in the firewall rules still fails.
> >
> Yes, I would expect that to fail for 2 main reasons:
> 1. Unless the IP has a PTR bound to it AND the firewall is resolving IP
> to PTR (it's not standard, and utilizes a fair amount of overhead) then
> the rule is essentially meaningless for passing traffic. So you'd need
> to use IP addresses instead of FQDN. Except...
> 2. LetsEncrypt doesn't publish a list of IPs that would be used for the
> http validation. They have arguable security rationale for this but
> even so, since they're using a very large 3rd party CDN for that
> traffic, they probably don't even have the ability to provide a list.
> And if they did, the list would be enormous.
Understood - although it has been working fine for months using those FQDN entries.
> So long as you're allowing HTTP traffic to flow freely, there should not
> be an issue with certbot polling and then receiving the verification
> call from LE's servers. It seems that there must be something blocking
> that HTTP traffic to get the verification done. So long as that's the
> case, the automated renewals (and new requests, of course) will fail.
But even when I allow all port 80 traffic in unmolested it still fails. I tried that before posting my query.
Regards
Colin
More information about the Blueonyx
mailing list