Firewall blocking Let's Encrypt IPs

Hello, thanks for the response!

I'm getting issues to renew and generate new certificates, since i created a new rule on firewall blocking IPs from feeds like AbuseIPdb and Talos.

My domain is (one of then): www.admpenitenciaria.rj.gov.br

I ran this command: certbot --apache (and after, i put the number of the domain)

It produced this output: Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems: Domain: www.admpenitenciaria.rj.gov.br Type: connection Detail: 187.62.128.28: Fetching http://www.admpenitenciaria.rj.gov.br/.well-known/acme-challenge/D8nTldCFKStpUPecEAphtreFF7BkThGp9gpVPgo-HHQ: Timeout during connect (likely firewall problem) Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the

My webserver is: Apache 2.4.37

The operating system my web server runs on is: RedHat 8

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

OBS: Since i created the rule, is generating this problem but i cant remove cause there is a lot of other malicious IP that is being blocked by this rule.

OBS2: I run this command and this output yesterday, today i disabled temporaly the rule to generate the certificate for this domain.

3 Likes

Got to run off to an appointment, but some supplemental information for you and other Let's Encrypt community volunteers assisting.

$ curl -Ii http://www.admpenitenciaria.rj.gov.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Wed, 08 Feb 2023 16:29:38 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Location: https://www.admpenitenciaria.rj.gov.br/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1
$ curl -Ii https://www.admpenitenciaria.rj.gov.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Wed, 08 Feb 2023 16:29:55 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Cache-Control: must-revalidate, no-cache, private
X-Drupal-Dynamic-Cache: UNCACHEABLE
X-UA-Compatible: IE=edge
Content-language: pt-br
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Permissions-Policy: interest-cohort=()
Expires: Sun, 19 Nov 1978 05:00:00 GMT
X-Generator: Drupal 9 (https://www.drupal.org)
X-Drupal-Cache: MISS
Content-Type: text/html; charset=UTF-8

1 Like

Thank you for the help, i want to add too that this problem is on any server from my domain.

2 Likes

I've seen a few gov.br issues recently with Let's Encrypt
Here is a search for them Search results for 'gov.br order:latest' - Let's Encrypt Community Support

If you can't use the DNS Challenge (see linkp post #3) could you disable the firewall just on port 80?

And, in the port 80 VirtualHost redirect all requests to HTTPS (you probably already do)

With no firewall blocking IP's to port 80 the HTTP Challenge should succeed. You are using the --apache plug-in so it should capture the Challenge URL for you without redirecting to https. If you were using --webroot then you'd have to add a location for the /.well-known/acme-challenge URL.

Any of the malicious IP's trying HTTP will get redirected to HTTPS and be blocked by your firewall.

4 Likes

Hi,

I will try to make this exception and will give you a feedback soon.

There is another option which was mentioned briefly in earlier posts here, the DNS-01 challenge method.

(eu queria colocar o link para a página traduzida em português mas o site disse "esta página ainda não foi traduzida" :crying_cat_face: )

The difficulty is that this is usually more complicated to automate, and it's not very pleasant to use Let's Encrypt services without setting up automated renewal. With this alternative method, you need a way to make changes to DNS records from software (usually with an API provided by your DNS host). I'm guessing that PRODERJ or other state agency that might provide your Internet hosting services most likely does not offer this.

3 Likes

This needs a takedown request from LE. the form for which is here : 23.178.112.107 | Internet Security Research Group | AbuseIPDB

Folks who should know better (or their automated scripts) are reporting these IPs because the http validation checks their acme challenge. AbuseDB et al should instead use a manual review process for ISRG ips and if they don't you should discontinue use of their database because you are very likely to DoS yourself.

4 Likes

I would like to know if there is a Brazilian public-sector IT event that I could speak at in order to better familiarize state IT entities with Let's Encrypt and its requirements.

(In this case the relevant thing might be asking them to provide an option for an API to make DNS updates, which would make the DNS-01 challenge a more practical alternative.)

3 Likes

I'm talking from PRODERJ, if you want to talk more.

Like you work for PRODERJ yourself, or you're in contact with them about this problem?

2 Likes

I work for PRODERJ

2 Likes

Cool! Is there some way that I could give a presentation to your colleagues (including, ideally, from other states) about Let's Encrypt and how to support it better? Is there an event I could attend for that purpose or another way to communicate about that?

4 Likes

We can arrange a meeting for this, if you want.

2 Likes

I would be happy to have a video call or something (in Portuguese) if you have colleagues who are interested. I could probably put together information that would be useful.

4 Likes

Hello,

We can't do this configuration because we should be impacted by other IPs.

2 Likes

@adash @phsm @dtisistemas @shibatawebline @Gabiel
There are other Free ACME Certificate Authorities, maybe one of the will be better suited for you.
Here is a comparison of a few of them:

1 Like

Also please see Erro nas validações ao gerar certificado para domínio com sp.gov.br - #15 by Bruce5051

1 Like

Can you give me your e-mail?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.