Allow LE in UFW


#1

I need to install LE on a very secure server that doesn’t allow outside access.

Is it possible to add a UFW rule that will allow LE without having to open up the whole server on ports 80 and 443?

Thanks for your help

Lux


#2

Yes and no. There’s no UFW rule, however you could instead opt for the DNS challenge type that doesn’t require Let’s Encrypt to connect to your server at all. As long as you’re able to update TXT records for your domain, you should be good to go.


#3

I’ll have to read up on the DNS challenge. What about auto updates? Will they still pass through?

Thanks

Lux


#4

I tried to install it by opening up the whole server and it worked fine.

I then tried to test it by reinstalling it and adding the --preferred-challenges dns certonly but got this message…

“None of the preferred challenges are supported by the selected plugin”

I’m on Debian 8 which is why I was using the webroot authenticator…

sudo certbot --authenticator webroot --installer apache
–webroot-path ‘/var/www/html’ -d ‘xxx.com’ --preferred-challenges dns certonly

Am I doing something wrong or is it just a limitation with Debian 8?

Thanks

Lux


#5

Hi @luxint

dns challenge means, that you have to create a new dns txt entry

_acme-challenge.yourdomain.com

with a special value. So this is incompatible with --authenticator webroot. Your dns provider should support an API, so you can automate that. And you need a compatible certbot plugin.

Or check acme.sh, that client has a lot of dns pugins.


#6

Thanks for the acme.sh recommendation. That definitely makes the whole things easier :slight_smile:

So the certificate is installed and the cron is active but I’m still not clear if it will be able to update with the limited access I have on the server. I’ve blocked virtually ALL outside traffic.

Any ideas if the cron/update will actually work with such a set up?

Thanks

Lux


#7

As long as your server can initiate outgoing connections to the internet, or at least to Let’s Encrypt and your DNS provider, then it should be fine. There won’t be any incoming connections to handle.


#8

Thanks for the help. I guess it should be OK then.

Lux


#9

Did you run acme.sh on this server, so acme.sh was able to install the certificate?

Then it works.