As I am sure you know, cPanel has this wonderful autoSSL integration with Let's Encrypt that has essentially replaced their Sectigo integration. The problem is that Let's Encrypt wont publish their validation IPs to allow connections to servers that restrict access for security purposes. From what I understand this is for security... but removing restrictions from a restricted server would be a far greater risk and is far more likely to cause abuse issues and malicious activity. Can we get an alternative solution that would work with autoSSL, through file validation, on geo-restricted, or IP-restricted servers?
You can use the DNS-01 challenge instead of the HTTP-01 or TLS-ALPN-01. That will place the burden of connectivity on your nameservers.
Alternatively, you can use hooks on your ACME client to enable/disable the firewall rules as needed. The HTTP server only needs global availability when answering the ACME challenges.
5 Likes
Well, that is understating it. This is an excellent article if you wish to understand why: Multi-Perspective Validation & Geoblocking FAQ
You may wish to start at the section titled But Opening my Firewall Seems Terrible for Security
6 Likes
I specifically said file validation.
As for hooks in the acme client, the implementation is supported by cPanel. If I customize the acme client, it is not supported. Adding hooks to disable firewall rules is also far riskier behavior than would be acceptable. That would be a giant step backwards in security.
Hello MikeMcQ
I did read that. It does not address my valid concerns. It does not say that I am wrong.
It is not a matter of right or wrong but of what is and what is not. You may need to adjust your tooling if the ones you use don't satisfy your needs. The industry in general is moving towards tighter restrictions not looser ones.
This page is the general recommendation about port 80 by Let's Encrypt. This has been their recommendation for a long time.
6 Likes
Yes I have read that too. This is why I opened a feature request.
But LE can't modify the auto-ssl coding [used by the cPanel certificate issuance menu].
6 Likes
I also don't understand how any file would be accessed to/from a geo-restricted area / IP-restricted servers.
3 Likes
I don't understand why the poeple fixated on geo-blocking always make it more complicated than it needs to be.
- Leave port 80 unrestricted
- Exempt
/.well-known/acme-challengefrom redirects - Redirect everything else to port 443
- Keep the desired geo-blocking on port 443
- Profit!
8 Likes
The easiest way is to allow the source of the authentication connections, but Let's Encrypt wont publish those for their own security. Unfortunately that stance is forcing many sysadmins to open up their server to malicious activity.
Perhaps they need to come up with a new solution that authenticates with the website host. Notice I said website host... not DNS... not email.
1 Like
You really don't know security OR don't know how to secure HTTP.
5 Likes
Geo-Location blocking makes ALL access impossible.
ISP blocking port 80 makes HTTP-01 authentication impossible.
That only leaves DNS-01 authentication [simplest]
OR
TLS-ALPN-01 authentication [not very well understood/implemented by the avg sysadmin]
5 Likes
hello Linkp,
I agree that that is a solution for certain scenarios. I am actually doing that very thing on a few servers I manage. However, there are scenarios in which you don't can't blindly redirect all port 80 traffic to port 443. Unfortunately, I have more than a dozen servers on which I cannot do that for a variety of reasons.
I think there must be some sort of communication breakdown here, or a misunderstanding. In the context of cPanel, Geo-Location blocking is where you block specific countries
It's probably not what you want to hear, but I don't think this feature request is going to go anywhere anytime soon.
If you look at the Let's Encrypt stats at Let's Encrypt Stats - Let's Encrypt, it looks like more than 5 million certificates can easily be issued daily without having to know the Let's Encrypt validation IP addresses. (Even almost 8 million on 2024-12-11 
)
I shouldn't speak before my turn, as I'm not part of the Let's Encrypt team, but I'm preeeetty sure the burden of these nonsense geoblocking stuff is going to land on the sysadmins requiring more effort to let the Let's Encrypt validation attempts pass their own set up restrictions.
Anywayz, the possible solutions are quite easy as mentioned earlier. "Just" allow access to /.well-known/acme-challenge/, a path not usable for anything else than ACME.. Thus not any security risk.
6 Likes
And LE validations are based in many countries [commonly being GeoBlocked].
If you block the validation request, there is nothing LE can do to overcome that.
5 Likes
I understand. I honestly don't expect them to care. But I saw many feature requests posted in which resources were supplied in a context that seems to shrug off the very real security concern of opening up a firewall to the world. Some of the responses here tried to do the same thing. When stuff blows up over here... I am going to point to this post and say I tried.
Nonsense.
No, that isn't why--as you'd know if you'd actually read the link you said you'd read. If they published the IPs, that would literally defeat the purpose of validating from a variety of IPs.
7 Likes
keep following your logic train there and you will catch up.... why do they need to validate from a variety of IPs that are unpublished?