All I intended to ask was: Are the only requirements for HTTP-01 validated renewals an HTTP GET request on port 80 to /.well-known/acme-challenge/*? And it sounds like the answer to that question is "Yes".
ORIGINAL:
I'm restricting port 80 on our service just to Let's Encrypt renewals via HTTP-01 validation. Will this BLOCK rule be sufficient to ALLOW the automatic renewal process with HTTP-01 ?
IF
host-header = host.ourdomain.com
AND
NOT path starts with .well-known/acme-challenge/
OR
NOT method = GET
THEN
BLOCK
I would prefer to restrict based on an IP range as well. If that's available that would be a bonus.
I'm not familiar with that specific syntax, but allowing the path /.well-known/acme-challenge/ should be enough indeed. (Not sure if for your firewall the first / is required or not. Usually the path starts with the slash, but maybe it's not required in your software/device.) It's just a simple HTTP GET request.
Although I'm not sure what you gain by blocking the rest: usually you still would like to redirect HTTP to HTTPS, which requires a working HTTP request on port 80. See Best Practice - Keep Port 80 Open - Let's Encrypt for more info.
This is an internal service. HTTP is only exposed on the public side for the certificate renewal.
I probably should have phrased my question "Are the requirements for HTTP-01 validated renewal only a GET request to /.well-known/acme-challenge/* ?" And it sounds like the answer to that is "Yes".
The question (poorly worded, I admit) wasn't about approach to firewalling as much as it was about HTTP-01 validated renewals.
I probably should have phrased my question "Are the requirements for HTTP-01 validated renewal only a GET request to /.well-known/acme-challenge/* ?" And it sounds like the answer to that is "Yes".
"Yes", yes.
Your question had been correctly answered; I was just adding more [where it wasn't required].
But as a security conscious minded [read: paranoid] person, there is always more than can be prevented. Like checks for directory traversal, and such.
I, personally, like to send all HTTP connections to a separate dedicated, and isolated, system that has "nothing of value" and no access to any other internal systems. It only serves to process the challenge requests and forwards all else to HTTPS.
That way, even if it ever gets hacked, it's an empty dead-end.
I appreciate the extra thoughts. I hadn't given enough context for you to give accurate input on the actual rules, and I realized the way I worded it sounded a bit like someone confused about how to configure -- that's what happens when multi-tasking two projects and being on a meeting at the same time haha. I'm a bit on the paranoid side myself as well, so it's all good.