This is not good news - we have roughly 1000 different clients, with different domain names, running LE and almost all of them are GEO-restricted because they host sites that only need accessed by specific GEOs. Opening that FW policy to the entire world to make LE "more secure" is counterproductive and creates a different but much larger security risk for our clients. DNS-01 might be an option but the amount of work required to change almost 1000 environments to use DNS-01 and distributing API keys/service credentials to those environments is a daunting task and comes with other security concerns.
You can always use certificates from a commercial certificate authority or possibly another free CA if it is too burdensome to meet the requirements of Let's Encrypt. 
5 Likes
Please note that the CA/Browser Forum is developing a ballot for the Baseline Requirements (to which all publicly trusted CAs need to adhere) that mandates multiple vantage points in the (near) future: SC-067: Require Multi-Perspective Issuance Corroboration (Version 1) by ChristopherRC · Pull Request #487 · cabforum/servercert · GitHub
5 Likes
The string 'mail' did not appear in that page. If commercial CAs are still able to domain validate using email, that option will still permit geo-restricted HTTP.
I have grown fond of DNS-01 challenges, although I still use all three methods with Let's Encrypt.
3 Likes
Sure, but if one wants a free ACME cert, the ballot applies.
3 Likes
I was just clarifying that the option of using commercial CAs, which I had presented earlier, appeared unaffected by this change.
I havent yet encountered any perspective issues. My current contingency plan is to remove any filtering on port 80 if I am affected. One could conceivably use some pre and post hooks to adjust firewall policy before and after HTTP-01 challenges.
5 Likes
Are those sites hosted via HTTP or via HTTPS?
If only via HTTPS, then it makes little sense to require GEO blocking on HTTP requests [that would not reach those "vulnerable" web applications].
4 Likes
Suggestions:
1- For DNS-01: Set up an acme-dns system and namespace, generate credentials for your clients, CNAME their DNS onto that. That will remove the security concerns.
2- For HTTP-01/TLS-ALPN-01: you can remove geo-blocks on the firewall for only the ./well-known/acme-challenge/ directory.
Edit:
Also for HTTP-01/TLS-ALPN-01: you can enable the firewall, or a CDN, to redirect ./well-known/acme-challenge/ requests to a secondary network that is publicly accessible. In this scheme, the secondary network would run an ACME client to order certificates, and respond to the redirected challenges; you would then simply use a post-success hook to deploy the certificates to the primary network.
There are a lot of ways to address this situation. These are just some quick thoughts.
6 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.