Certbot for Ubuntu ignores ufw firewall?


#1

Hi,

I’m using certbot for Ubuntu 18.04 to get a certficate for my subdomain. I’m using the following command:

sudo certbot certonly --standalone -d my.domain

My ufw firewall is activated and only allows OpenSSH connections. But nevertheless the certbot is working and I don’t know why. Shouldn’t the firewall block the certbot process? On my other server I have installed the Apache Web Server and certbot is only working if I allow HTTP and HTTPS in the ufw firewall.

Thank you for any help!


#2

Certbot can’t really do anything that bypasses your firewall, it’s most likely that your firewall isn’t setup the way you think it is.

ufw status

#3
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)

#4

Well, that looks correct.

Have you confirmed that your server is actually permitting traffic? Aside from success reported by Certbot?

If this was not the first time you issued a certificate for this domain under this ACME account, then Let’s Encrypt may have cached a previous authorization (which may be cached upto ~30 days), and issued the certificate without making any HTTP request.


#5

I have used the command sudo certbot renew --dry-run -v.

If have also added a rule to ufw to block all outgoing http and https traffic and after that certbot was not able to renew the certificate.


#6

Try it against staging (presuming you’ve never been there - there should be no previous auth).


#7

--dry-run implies --staging (which surprised me too, when I found out).


#8
# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.

DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"