Let's Encrypt problems

jvanasco · October 25, 2024, 1:29pm

Everyone can!

These are my install notes for firewall rules with acme-dns.

I use Certbot hooks to either start/stop this on the same server, or execute a Fabric script that SSH's into this server to toggle the rules.


In order to easily toggle this:

	# do not execute these
	# startup
	iptables -I OUTPUT -p udp --sport 53 -j ACCEPT
	iptables -I INPUT -p udp --dport 53 -j ACCEPT

	# shutdown
	iptables -I OUTPUT -p udp --sport 53 -j REJECT
	iptables -I INPUT -p udp --dport 53 -j REJECT

We'll use a trick from the Q&A:

	https://serverfault.com/questions/905465/toggle-port-rule-on-an-ubuntu-iptables-firewall/905468#905468

# create the acme-dns chain

	iptables -N acme-dns

# set the tables to run it BEFORE the port 53 deny

	iptables -A INPUT -j acme-dns

# it make make sense to first..

	iptables-save > iptables.dump
	vi iptables.dump

# then manually add in the acme-dns line as the first chain

	:INPUT DROP [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [451:186415]
	:acme-dns - [0:0]
	:f2b-postfix - [0:0]
	:f2b-sshd - [0:0]
	:f2b-sshd-invalid_accounts - [0:0]
	:f2b-sshd-system_accounts - [0:0]
	-A INPUT -j acme-dns

# and reload

	iptables-restore < iptables.dump

# now to toggle rules...

# turn on acme-dns

	iptables -A acme-dns -p tcp --dport 53 -j ACCEPT
	iptables -A acme-dns -p udp --dport 53 -j ACCEPT
	iptables -A acme-dns -p tcp --dport 8011 -j ACCEPT

# turn off acme-dns

	iptables -F acme-dns

I ended up doing this via `iptables` and a custom "acme-dns"" chain

After a bit of fiddling, the top of the output from my `iptables-save` (and iptables-restore) looks roughly like this:

	:INPUT DROP [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [451:186415]
	:acme-dns - [0:0]
	:f2b-postfix - [0:0]
	:f2b-sshd - [0:0]
	:f2b-sshd-invalid_accounts - [0:0]
	:f2b-sshd-system_accounts - [0:0]
	-A INPUT -j acme-dns

note: The f2b stuff is fail2ban.

This line...

	:acme-dns - [0:0]

...is essentially the same as:

	iptables -N acme-dns

And this line

	-A INPUT -j acme-dns

...is the same as

	iptables -A INPUT -j acme-dns


When running acme-dns, i do:

	iptables -A acme-dns -p tcp --dport 53 -j ACCEPT
	iptables -A acme-dns -p udp --dport 53 -j ACCEPT
	iptables -A acme-dns -p tcp --dport 8011 -j ACCEPT

And when shutting it off...

	iptables -F acme-dns

Edit: This above could be changed trivially to support ports 80/443

Topic		Replies	Views
Renewing certificate problem Help	16	321	November 5, 2024
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems: Help	7	13279	December 16, 2021
Unable to get a cert Help	10	300	June 14, 2024
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems Help	2	2153	June 22, 2023
Error updating cert Help	7	523	July 3, 2022

Let's Encrypt problems

Related topics