I can't renew our domains certificats anymore because our websites are behind a firewall.
This firewall use ACL to filter inbound connexion.
The ACL is renewed each day by a script. In this script, we convert to IP and allow these URL : acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org.
Everything worked fine until now. If I disable ACL, I'm able to renew certificate.
Does Let'encrypt changed their URL for renewing certificate ?
Yes. At least: probably. The IP addresses can change at any time. Please see this FAQ entry: FAQ - Let's Encrypt and also the link to the page about Multi-Perspective Validation.
The above assumed incoming connections for validation by the way.
Thank you for your reply.
I understand that IP can change at any time. I alway thought that converted URL was enough as that worked until now.
For security, I can't open ACL to world. I can use a range of IP if available.
As I understand it, there is no possibility other than renewing by hand by disabling the ACL
Maybe you can use deep packet inspection to allow the path
/.well-known/acme-challenge/* for any IP address.
Very good idea !
I think I can use the layer 7 of my router to allow this path.
I ll try it tomorrow.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.