[BlueOnyx:25970] Re: Blueonyx 5210R - firewalld ist blocking let's encrypt
Michael Stauber
mstauber at blueonyx.it
Mon Feb 13 11:33:59 -05 2023
Hi Dirk,
> on a machine with almalinux 8 / blueonyx 5210R, activated firealld and
> packages fail2ban and Firewall this is the second time in a relatively
> short period that Let's Encrypt has failed with a certificate renewal
> timeout:
>
> [Mon Feb 13 03:49:33 CET 2023] www.domain.de:Verify error:123.456.78.90:
> Fetching
> http://www.domain.de/.well-known/acme-challenge/GT4WUNBge2I3GjR3GpDDmOBhIEF0sT2qCkwbO577c8w: Timeout during connect (likely firewall problem)
>
> After a systemctl restart firewalld and a
> /etc/cron.daily/letsencrypt.cron all previous failed LE certificates
> were successfully renewed.
>
> Has anyone had this problem before? Any suggestions for solutions? Does
> anyone know the IP addresses from which LE is trying to validate the URL
> so that I can add them to the whitelist of Fail2ban and the firewall?
Let's Encrypt uses a distributed network of servers all over the place
to handle requests and validations. And that network isn't static and
there are changes off and on, so we'll never know what IPs they're using
today or tomorrow.
If you can, check /var/log/fail2ban.log, /var/log/secure and
/var/log/messages to see why Fail2ban had this particular LE IP blocked
to begin with. That should at least tell you which rule had been triggered.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list