My system is firewalled, how do I configure the firewall to let the LetsEncrypt challenge through?

Please fill out the fields below so we can help you better.

My domain is:
caltech.flint.caltech.edu

I ran this command:
sudo certbot --apache certonly
OR
sudo certbot renew

It produced this output:
Attempting to renew cert from /etc/letsencrypt/renewal/caltech.flint.caltech.edu.conf produced an unexpected error: Failed authorization procedure. caltech.flint.caltech.edu (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 131.215.229.46:443 for TLS-SNI-01 challenge. Skipping.

My operating system is (include version):
OSX El Capitan

My web server is (include version):
Apache 2.2

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Three months ago, when I set up a cert for my dev site through Let’s Encrypt, it was a gigantic hassle. So I wasn’t terribly surprised that when my cert expired, it became a hassle again to renew it.

The main problem is that I have to keep my machine strictly firewalled from outside traffic due to company policy. I’ve had to disable it temporarily to allow the LE challenges to get through, but I can’t simply leave it disabled it so that certbot can perform automatic renewal. I need to know from whence I can expect renewal challenges to originate, so I can allow those origins through my firewall.

Unless there’s some other way to pass the challenges that doesn’t require a hole in my firewall? I’ve heard that there are other kinds of challenges, but have had no luck getting them to work. For instance, when I try certbot --apache --preferred-challenges http-01, I get:

None of the preferred challenges are supported by the selected plugin

What can I do? Self-signed certs are not an option due to certain functionality on my site requiring a real cert to be installed on the server.

Let's Encrypt does not publish the IP addresses of its validation servers. See this FAQ items for more details:

What IP addresses will Let's Encrypt use to validate my web server?

We don't publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

An alternative that does not involve exposing any ports would be the dns-01 challenge, where you verify domain ownership using a special TXT record. With certbot, you can do this with the manual plugin. See certbot --help manual for more information on how that would work. Despite the name of the plugin, solving the challenge can also be automated using --manual-auth-hook if your DNS server allows you to programmatically set or update DNS records. If that's not possible, acme-dns might be another option for automation.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.