Certbot for Ubuntu ignores ufw firewall?



I’m using certbot for Ubuntu 18.04 to get a certficate for my subdomain. I’m using the following command:

sudo certbot certonly --standalone -d my.domain

My ufw firewall is activated and only allows OpenSSH connections. But nevertheless the certbot is working and I don’t know why. Shouldn’t the firewall block the certbot process? On my other server I have installed the Apache Web Server and certbot is only working if I allow HTTP and HTTPS in the ufw firewall.

Thank you for any help!


Certbot can’t really do anything that bypasses your firewall, it’s most likely that your firewall isn’t setup the way you think it is.

ufw status

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)


Well, that looks correct.

Have you confirmed that your server is actually permitting traffic? Aside from success reported by Certbot?

If this was not the first time you issued a certificate for this domain under this ACME account, then Let’s Encrypt may have cached a previous authorization (which may be cached upto ~30 days), and issued the certificate without making any HTTP request.


I have used the command sudo certbot renew --dry-run -v.

If have also added a rule to ufw to block all outgoing http and https traffic and after that certbot was not able to renew the certificate.


Try it against staging (presuming you’ve never been there - there should be no previous auth).


--dry-run implies --staging (which surprised me too, when I found out).

# /etc/default/ufw

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.


# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules

# IPT backend
# only enable if using iptables backend

# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.