The operating system my web server runs on is: RedHat 8
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0
OBS: Since i created the rule, is generating this problem but i cant remove cause there is a lot of other malicious IP that is being blocked by this rule.
OBS2: I run this command and this output yesterday, today i disabled temporaly the rule to generate the certificate for this domain.
If you can't use the DNS Challenge (see linkp post #3) could you disable the firewall just on port 80?
And, in the port 80 VirtualHost redirect all requests to HTTPS (you probably already do)
With no firewall blocking IP's to port 80 the HTTP Challenge should succeed. You are using the --apache plug-in so it should capture the Challenge URL for you without redirecting to https. If you were using --webroot then you'd have to add a location for the /.well-known/acme-challenge URL.
Any of the malicious IP's trying HTTP will get redirected to HTTPS and be blocked by your firewall.
There is another option which was mentioned briefly in earlier posts here, the DNS-01 challenge method.
(eu queria colocar o link para a página traduzida em português mas o site disse "esta página ainda não foi traduzida" )
The difficulty is that this is usually more complicated to automate, and it's not very pleasant to use Let's Encrypt services without setting up automated renewal. With this alternative method, you need a way to make changes to DNS records from software (usually with an API provided by your DNS host). I'm guessing that PRODERJ or other state agency that might provide your Internet hosting services most likely does not offer this.
Folks who should know better (or their automated scripts) are reporting these IPs because the http validation checks their acme challenge. AbuseDB et al should instead use a manual review process for ISRG ips and if they don't you should discontinue use of their database because you are very likely to DoS yourself.
I would like to know if there is a Brazilian public-sector IT event that I could speak at in order to better familiarize state IT entities with Let's Encrypt and its requirements.
(In this case the relevant thing might be asking them to provide an option for an API to make DNS updates, which would make the DNS-01 challenge a more practical alternative.)
Cool! Is there some way that I could give a presentation to your colleagues (including, ideally, from other states) about Let's Encrypt and how to support it better? Is there an event I could attend for that purpose or another way to communicate about that?
I would be happy to have a video call or something (in Portuguese) if you have colleagues who are interested. I could probably put together information that would be useful.
@adash@phsm@dtisistemas@shibatawebline@Gabiel
There are other Free ACME Certificate Authorities, maybe one of the will be better suited for you.
Here is a comparison of a few of them: