Firewall blocking Let's Encrypt IPs

Greetings,

I am having issues with Let's Encrypt when i start an installation, my firewall have a rule that block IPs categorized by AbuseDB feeds and Talos feed, i caught 2 IPs 23.178.112.107 and 23.178.112.16.

Is there any solution for this case? I have 100+ applications that uses Let's Encrypt certificates.

Hello @adash, welcome to the Let's Encrypt community. :slightly_smiling_face:

What are the issues? Getting certificates issued for the domain?

That sound like you have been issued Let’s Encrypt Domain Validation (DV) certificates, correct?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

There is no list of sources where HTTP-01 challenges may originate. The IPs you shared are from an ISRG allocation, which would have me reevaluating the use of a list that included them.

Is the use of the specific IP lists is more important than using HTTP-01 validation, you could switch to DNS-01 validation.

4 Likes

And to add to @linkp information

What IP addresses does Let’s Encrypt use to validate my web server?
Let’s Encrypt does not publish a list of IP addresses we use to validate,
and these IP addresses may change at any time.

Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

3 Likes

Hello, thanks for the response!

I'm getting issues to renew and generate new certificates, since i created a new rule on firewall blocking IPs from feeds like AbuseIPdb and Talos.

My domain is (one of then): www.admpenitenciaria.rj.gov.br

I ran this command: certbot --apache (and after, i put the number of the domain)

It produced this output: Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems: Domain: www.admpenitenciaria.rj.gov.br Type: connection Detail: 187.62.128.28: Fetching http://www.admpenitenciaria.rj.gov.br/.well-known/acme-challenge/D8nTldCFKStpUPecEAphtreFF7BkThGp9gpVPgo-HHQ: Timeout during connect (likely firewall problem) Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the

My webserver is: Apache 2.4.37

The operating system my web server runs on is: RedHat 8

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

OBS: Since i created the rule, is generating this problem but i cant remove cause there is a lot of other malicious IP that is being blocked by this rule.

OBS2: I run this command and this output yesterday, today i disabled temporaly the rule to generate the certificate for this domain.

3 Likes

Got to run off to an appointment, but some supplemental information for you and other Let's Encrypt community volunteers assisting.

$ curl -Ii http://www.admpenitenciaria.rj.gov.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Wed, 08 Feb 2023 16:29:38 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Location: https://www.admpenitenciaria.rj.gov.br/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1
$ curl -Ii https://www.admpenitenciaria.rj.gov.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Wed, 08 Feb 2023 16:29:55 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Cache-Control: must-revalidate, no-cache, private
X-Drupal-Dynamic-Cache: UNCACHEABLE
X-UA-Compatible: IE=edge
Content-language: pt-br
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Permissions-Policy: interest-cohort=()
Expires: Sun, 19 Nov 1978 05:00:00 GMT
X-Generator: Drupal 9 (https://www.drupal.org)
X-Drupal-Cache: MISS
Content-Type: text/html; charset=UTF-8

1 Like

Thank you for the help, i want to add too that this problem is on any server from my domain.

2 Likes

I've seen a few gov.br issues recently with Let's Encrypt
Here is a search for them Search results for 'gov.br order:latest' - Let's Encrypt Community Support

If you can't use the DNS Challenge (see linkp post #3) could you disable the firewall just on port 80?

And, in the port 80 VirtualHost redirect all requests to HTTPS (you probably already do)

With no firewall blocking IP's to port 80 the HTTP Challenge should succeed. You are using the --apache plug-in so it should capture the Challenge URL for you without redirecting to https. If you were using --webroot then you'd have to add a location for the /.well-known/acme-challenge URL.

Any of the malicious IP's trying HTTP will get redirected to HTTPS and be blocked by your firewall.

4 Likes

Hi,

I will try to make this exception and will give you a feedback soon.

There is another option which was mentioned briefly in earlier posts here, the DNS-01 challenge method.

(eu queria colocar o link para a página traduzida em português mas o site disse "esta página ainda não foi traduzida" :crying_cat_face: )

The difficulty is that this is usually more complicated to automate, and it's not very pleasant to use Let's Encrypt services without setting up automated renewal. With this alternative method, you need a way to make changes to DNS records from software (usually with an API provided by your DNS host). I'm guessing that PRODERJ or other state agency that might provide your Internet hosting services most likely does not offer this.

3 Likes

This needs a takedown request from LE. the form for which is here : 23.178.112.107 | Internet Security Research Group | AbuseIPDB

Folks who should know better (or their automated scripts) are reporting these IPs because the http validation checks their acme challenge. AbuseDB et al should instead use a manual review process for ISRG ips and if they don't you should discontinue use of their database because you are very likely to DoS yourself.

4 Likes

I would like to know if there is a Brazilian public-sector IT event that I could speak at in order to better familiarize state IT entities with Let's Encrypt and its requirements.

(In this case the relevant thing might be asking them to provide an option for an API to make DNS updates, which would make the DNS-01 challenge a more practical alternative.)

3 Likes

I'm talking from PRODERJ, if you want to talk more.

Like you work for PRODERJ yourself, or you're in contact with them about this problem?

2 Likes

I work for PRODERJ

2 Likes

Cool! Is there some way that I could give a presentation to your colleagues (including, ideally, from other states) about Let's Encrypt and how to support it better? Is there an event I could attend for that purpose or another way to communicate about that?

4 Likes

We can arrange a meeting for this, if you want.

2 Likes

I would be happy to have a video call or something (in Portuguese) if you have colleagues who are interested. I could probably put together information that would be useful.

4 Likes

Hello,

We can't do this configuration because we should be impacted by other IPs.

2 Likes