Whitelisting Let's Encrypt

[GoWilkes]

I'm using CSF as my firewall.

I have a hosting client that has their domain and email with me, then the A record for the domain points to another provider for specialized hosting.

That host is having an issue getting their SSL cert from Let's Encrypt to renew. They think that the issue is on my end since none of their other clients are having a problem.

The Sectigo cert for their email on my end renewed just fine, so it's not a DNS or server issue. The only other thing I can think of is that maybe the firewall is blocking it? I block non-US IPs via CC_ALLOW_FILTER, so maybe that's causing a problem?

Any suggestions on how I might whitelist them to prevent that?

 

[HostNoc]

HI

Have yo tried remove the current Cert and then ask for renew certificate?

REgards
HostNoc

 

[ejsolutions]

If you don't use the DYN_DNS function for your own IP, then you might be able to leverage it, to whitelist letsencrypt - I'm not sure if it'll only map a single IP, from my memory.

 

[cPRex]

According to Let's Encrypt themselves, there's not a good way to whitelist them since they don't use a specific IP range they make public:

Let's Encrypt server addresses for certificate renewal

From the main website: What IP addresses does Let’s Encrypt use to validate my web server? We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once. For validation of publicly...

community.letsencrypt.org

 

[ejsolutions]

.. they don't use a specific IP range ..

Hence trying to leverage DYN_DNS, which is typically set to update every 10mins. With hindsight, it's a "shot in the dark" 'cos they use various subdomains for verification - though one could try listing some of them. Note: I wouldn't use this technique personally because I always whitelist/ignore my dynamic home IP, using DYN_DNS.
On one particular server (soon to be decommissioned) I need to disable CSF briefly, in order to grab the SSL validation - not ideal at all.

OP may be able to use a different validation method, such as DNS, which might be worth investigating/considering.

 

[GoWilkes]

I removed CC_ALLOW_FILTER last night, and today it successfully renewed. So it does appear that Let's Encrypt was trying to connect from a non-US IP address.

I found this from a few weeks ago, and at that time it appears that the connection was coming from the Netherlands:

Certificate renewal fails (403) on reverse proxy server

There's a firewall blocking access, at least from my location: Good chance this is also affecting the LE validation. You should allow access to the path /.well-known/acme-challenge/ globally. Alternatively, you might be able to use the dns-01 challenge instead.

community.letsencrypt.org

I block non-US because my sites only target US residents and 99.9% of my non-US traffic is spam, scams, or fraud. This restriction has saved my server from a TON of unnecessary load which makes my sites load faster, so I really don't want to have to remove the setting just for this one thing :-/

Does Let's Encrypt always come from the Netherlands? I could whitelist that country and I don't think it would hurt anything.

@ejsolutions, I found DYNDNS in the configuration (no underscore) and it's currently disabled. I'm not sure how to use it for this, but I'll do some research. At this point I have until the end of November to find a solution (when the cert renews again)

 

[ejsolutions]

I found DYNDNS

Yup, that's the one: I have a bad habit of inserting the underscore due to other features using that character.

I get as much scan,scam,spam from US as from many other locations: unfortunately, most of my clients need access to/from the USA. NL is a common source of the same, though I also have a few servers there. My Australia-only client was easier to block swathes of the World. Rather than a country only approach, I use IPset, most of the pre-configured CSF blocklists and a sizeable comma-delimited country list, such as CN,TW,TH,BR,AG,NG,MD,IL,PK,IN etc. Depends on your environment/market though.
Modsecurity and netblock port scans give me a pronounced reduction in Load.

Good luck in getting a solution.