Geoip module and letsencrypt

Hi I already have letsencrypt working so that bits out the way.

Right I’m setting my sites up with the nginx geoip restriction up on my server to only allow access to ip’s from the UK to cut down on some daily cyberwarfare attacks

My question is if I activate the module with a 444 redirect not a 403 as it drops all connections from the given up

Will letsencrypt still work renewing my certs as I presume letsencrypt servers are not serving from the UK so when it tries to renew the certs it will fail as let’s encrypt will get served with a 444 response

Is this correct if so is there a work around like adding a allow through from letsencrypt ip addresses to my vhost file

Internet down at the moment will try a dry run when vm techs get there systems back up not sure how long

I’m post with awnser after i test with dry run to let others know for future refrences

Hi @ksmacd,

This has often been discussed before and is contrary to Let's Encrypt policy (that is, Let's Encrypt is not willing to cooperate with attempt to whitelist particular validation IP addresses, although doing so might work temporarily).

If you don't want to allow incoming connections to your service from the general public, you should use the DNS-01 validation method instead of HTTP-01 or TLS-SNI-01.

1 Like

I had a feeling you was going to suggest about the whitelisting policy and thought there would be some measures implemented for not disclosing up info for security issues.

I will look further into getting renewal of certs and ip base geo restrictions working harmonylously together with out whitelisting validation procedures.

Thanks for sharing dns-01 alternative will look further into that once internet goes back up.

Thanks for the reply

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.