Help on firewall

Hello,
my firewall is blocking let's encrypt renewals ... which IP address / port should I leave open?

I do not put all the details of the site or the server, because they certainly do not serve to give me an answer, in any case if you want them anyway, just tell me ... the server hosts 246 domains ... I list them all? because it all happens to me, since the firewall is upstream :smiley:

Are you having trouble with

  1. Outbound of your servers being able to connect to the Let's Encrypt API?, or
  2. Inbound of Let's Encrypt not being able to validate your ownership of the names?

If 1, you need to have the firewall open to https://acme-v02.api.letsencrypt.org (which may not stay at the same IP).
If 2, you need to have the firewall open from everybody to your port 80 if you want to do an HTTP-01 request. (If you do a DNS-01 request, then the firewall has to be open from everybody to your DNS server on port 53, which some people find their security team prefer.)

3 Likes

Thanks for the reply. I don't really know. I just know that she was renewing a certificate in a domain and told me that the DNS server was unreachable, so she couldn't proceed with the renewal. I disconnected the firewall and was able to renew. The firewall is now enabled, but renewals usually go smoothly. Evidently today an IP address was searched that my firewall is blocking. to know what they are what should I do?
ok that are many, but to know them I could put them all in the firewall and avoid future stops

And if you want to know if you can have a list of IP addresses used for validation by Let's Encrypt, so you can add them to your firewall, please see the FAQ (linked to exact question):

2 Likes

People here would need to know more details, about the domain, the command that was run, and the actual output in order to be able to really assist. If it was a problem reaching a DNS server, then it sounds like the firewall was blocking it, so you'd need to fix your firewall configuration to not block it.

2 Likes

the domain is dmt.biz, it is reachable at the DNS level from all over the world and presents no problems. The firewall of the server that hosts it has blocked the renewal of the certificate. Now, not knowing which address the block was referring to, I can't not block it ... I have to enter an IP to tell you what not to block ... or remove the address that is in the list of blocked ones, only that to do that I need to know the address. As mentioned before, if the addresses vary, patience, it means that if it happens again, I will do as I did today: I turn off the firewall, proceed with the renewal, as soon as it is successful, turn the firewall back on. So I did and it's working. Thank you for your time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.