[BlueOnyx:25971] Re: Blueonyx 5210R - firewalld ist blocking let's encrypt

Dirk Estenfeld dirk.estenfeld at blackpoint.de
Tue Feb 14 11:37:52 -05 2023 

Hello Michael,

Do you have a tip for me on what exactly I can look for in the fail2ban.log?
What keywords could I search for?
Or of course in one of the other two logs?

Best regards,
Dirk


 
blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel 




-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael
Stauber
Gesendet: Montag, 13. Februar 2023 17:34
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:25970] Re: Blueonyx 5210R - firewalld ist blocking let's
encrypt

Hi Dirk,

> on a machine with almalinux 8 / blueonyx 5210R, activated firealld and 
> packages fail2ban and Firewall this is the second time in a relatively 
> short period that Let's Encrypt has failed with a certificate renewal
> timeout:
> 
> [Mon Feb 13 03:49:33 CET 2023] www.domain.de:Verify error:123.456.78.90: 
> Fetching
> http://www.domain.de/.well-known/acme-challenge/GT4WUNBge2I3GjR3GpDDmO
> BhIEF0sT2qCkwbO577c8w: Timeout during connect (likely firewall 
> problem)
> 
> After a systemctl restart firewalld and a 
> /etc/cron.daily/letsencrypt.cron all previous failed LE certificates 
> were successfully renewed.
> 
> Has anyone had this problem before? Any suggestions for solutions? 
> Does anyone know the IP addresses from which LE is trying to validate 
> the URL so that I can add them to the whitelist of Fail2ban and the
firewall?

Let's Encrypt uses a distributed network of servers all over the place to
handle requests and validations. And that network isn't static and there are
changes off and on, so we'll never know what IPs they're using today or
tomorrow.

If you can, check /var/log/fail2ban.log, /var/log/secure and
/var/log/messages to see why Fail2ban had this particular LE IP blocked to
begin with. That should at least tell you which rule had been triggered.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20230214/bb7e6b61/attachment.p7s>

More information about the Blueonyx mailing list