New to this method of renewing certs and I am trying to get me NetSecEng head around this. When I look at something, I am mainly looking at the data communication paths going through my security appliances. Is there some form of drawing that describes the communication paths of the recertifcation method?
Are you looking for IP addresses? I am not sure I understand your question, if there is one.. AND we don't have any information relating to your configuration: Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=mydomain.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Your success with curl shows that this is not an IP communication problem. I suggest you open a new topic and use the template to fully describe your errors.
Short(TXT) version:
A connects with CA
If HTTP(S) authentication path: Vs connect to W at F
If DNS authentication path: CA connects to D
If valid, then CA gives A the new(renewed) cert.
Longer version:
Acme client[A] connects to Certificate Authority[CA] (via HTTPS)
If HTTP(S) authentication path chosen:
Validation Servers connect to Web Service at FQDN (IP) and request validation token file.
If DNS authentication path:
CA connects to (global) DNS and retrieves validation TXT record
If valid, then CA gives ACME client the new(renewed) cert.
So the basic flow if using http validation is that the ACME client (Certify The Web in this case) talks to the Let's Encrypt API using outgoing https. Then Let's Encrypt make an http (TCP port 80) request to your server which Certify The Web (running on your server) responds to, using a temporary http server that sits in the http.sys pipeline before IIS. If you are using other webservers like apache then these don't support that configuration and you need to use filesystem based validation (write files that are served by your actual webserver software) or use DNS validation (which talks to your DNS API provider and sets a special TXT record).
By default Certify The Web also has a reporting API for config validation and failure notifications etc, but it'll work without that.
If you're in the habit of blocking outgoing https you may want to allow exceptions for the Certify background service as none of these APIs have fixed IPs.
Ok ..... Drawing is a start however I need IPs and/or FQDNs
And it seems I forgot some information:
This is an internal Microsoft Exchange server not an web server.
We do not allow OWA so there is no external (Internet) access via HTTP or HTTPS unless we write a specific FW rule inbound.
We installed this method for renewing the cert back in January.
It renewed fine in Feb/Mar/Apr/May/Jun
It started failing in July
What we see in the log is:
LetsEncrypt does not publish their validation IPs as they are subject to change at any point. Their engineers have shared some hints about what they are in several posts, but that's about it.
Does your environment use PaloAlto firewalls? If so, you might be running into this, but the timing of when it started failing doesn't quite match. Worth looking into though if you do.
Specifically, for the last several months, the IPs that perform multi-perspective validation change every few hours, and our primary datacenter IPs have changed a couple of times too.
Yes, as mentioned there is also the option of DNS validation instead of http validation. This involves (automatically) creating a specific TXT record in your domain DNS DNS Validation (dns-01) | Certify The Web Docs
Note that you don't have to run a web server on your servers to be able to use http challenges, Certify The Web has it's own built in http listener during validation. You would just need to open TCP port 80 so the traffic can get through. This is the easiest option, DNS is the alternative but it can be trickier depending on how your DNS service is hosted.
You noted that this started failing in July so it looks like you updated your firewall in July and your quickest and easiest solution would be to fix that.
No we use a different vendor. I can't be certain it is FW until I can find the communication in the FW logs. And I cant do that without knowing all the data paths and IP addressing or FQDNs. Since they dont give the IPs then is there someone here that knows the FQDNs? I can use those to convert to IPs and find the latest attempts.
I dont think the DNS option will work as we do not mange our external DNS ..... So is there someone who knows the FQDNs for the servers that will be contacting my mail server?
Thank you MikeMcQ for the attempt however I am trying to validate the requests came from the actual servers in my FW logs. This tells me there isn't a problem between the Lets Encrypt servers on the Internet and my server. Unfortunately, your solution will not use the correct source IP address of the lets Encrypt servers.
No ..... not a test attempt ..... I want to verify the actual attempt is getting to my FW. The only way I can do that is if I have the IP addresses or the FQDNs. If no IP addresses ranges, at the time of failure, I can use the nslookup and the FQDNs to get an IP address and check my FW logs.
Thank you however I do not want to open my email server to every script-kiddie on the internet trying to hit it on HTTP (port 80).
Probably as insecure as number 1
Would not be able to convert that right now.
I dont like snarky answers from folks that are supposed to be helping
Best solution:
Get the FQDNs and then validate the communication attempts are hitting FW and failing there. If yes, write a FW rule that tracks those FQDNs through DNS as source and my mail server as destination on HTTP port and allow. Sounds like the best plan.
Is there anyone out there who can provide the FQDNs?