Cert renewal failing with source-restricted, inbound HTTP traffic

A Sonicwall SMA is using LetsEncrypt for certificate renewal, now that this is a built-in feature, but auto-renew and manual renew are failing.

The SMA is behind a Sonicwall Firewall, which is only allowing inbound TCP 80 from the below:
FQDN: lencr.org
FQDN: *.lencr.org
FQDN: ocsp.int-x3.letsencrypt.org (added the legacy URL, for testing)

I am seeing inbound TCP 80 traffic denied in the Firewall's packet capture, while attempting to manually renew the cert.

Followed this article:

Should different or additional resources be included in the allowed sources list?

Thanks!

1 Like

Welcome @firewallguy

The link you refer is discussing outbound traffic from your server.

The link more appropriate for inbound is this one. The short answer is to keep port 80 open.

If you need to filter inbound traffic you need to allow URLs with .well-known/acme-challenge from any IP. Let's Encrypt makes http challenges from various spots around the world and does not publish the IP list.

You could also use the DNS Challenge instead of HTTP (if SonicWall supports that)

6 Likes

For the truly paranoid security engineer / firewall admin [like myself]:
Only allow HTTP into a dedicated system that redirects all connections to HTTPS.
Except those that are to the /.well-known/acme-challenge/ folder.
Those can be handled there, if that system is to be a certificate repository.
OR
Using a reverse proxy, forward those requests (using SNI) to their intended destinations.

The rules for such a device [which can be contained in a DMZ] are simple:

  • DNS and NTP outbound [to dedicated IPs]
  • HTTPS outward to the URLs you listed.
  • HTTP inward to the other internal systems that are using HTTP authentication

It can be a very tiny VM of any Linux flavor your sys admins are comfortable with.
[If you are a one-man-IT-shop, then even simpler; as you won't have to explain anything to anyone else]

4 Likes

Thank you both for the quick and helpful responses.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.