Acme-dns renews on random ports

How can I secure the server that is using acme-dns for renewing? Traffic comes in from 172.65.32.248 to my acme server on random (5 digit) port. Should I open all ports from this IP?

How do you mean, "on a random port"? Could you please elaborate?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

I don't know how much more I can elaborate on that.
Communication looks like this:

 172.65.32.248.https > myacmeserver.com.42140
 myacmeserver.com.42140 > 172.65.32.248.https

Same goes for dns.google.domain or deploy.static.akamaitechnologies.com.http.

Only if I open all ports from all directions, acme-dns actually works. From security standpoint it's not acceptable. In acme-dns documentation it says to just open port 53 and you're good. Not really.

1 Like

I doubt this is acme-dns traffic.

I think this is your ACME client talking to https://acme-v02.api.letsencrypt.org.

In that case, the random source port makes sense, because that's how client→server connections always work.

6 Likes

If you are hosting acme-dns, open incoming port 53 for TCP and UDP to allow the DNS queries, open port 80 and 443 for the registration API (and to allow it to use http validation for it's own cert).

4 Likes

I agree with @_az here: that connection looks more like the received packages from an outgoing connection using HTTPS. The IP address is from Cloudflare, which indeed could be the ACME API. This is definitely not an incoming connection to your port 42140, as that would mean the originating port would be 443. And while technically possible it's highly unlikely.

4 Likes

Yeah the IP in question is from letsencrypt.

@webprofusion
Thank you for your answer. This seems to work nicely!

4 Likes

I'm pretty sure acme-dns always uses DNS validation for its own cert--it certainly makes sense that it would, if it's the authoritative DNS server for its zone. And, of course, you can run the API on any port you want, though 80/443 would certainly be the defaults.

5 Likes

Good point, v0.8 onwards uses DNS validation by default. I don't know if you can still configure it to use http-01.

4 Likes