Palo Alto firewall users with failing HTTP-01 challenges: enable "acme-protocol"

Hi Let's Encrypt users,

Do you have a Palo Alto brand firewall product on your network? Are you having unexpected trouble renewing an existing Let's Encrypt certificate since about April 2022 using an HTTP-01 challenge method?

There was apparently a recent software change in some Palo Alto firewall products which defaults to blocking certain connections that the Let's Encrypt certificate authority makes to your systems and that Let's Encrypt uses to validate your control over domain names. Prior to this change, these connections were typically not blocked by default, so long as other web traffic was permitted.

If you have such a firewall in between your web servers and the Internet (especially a "web application firewall" or "WAF"), and you're having trouble getting or renewing a Let's Encrypt certificate, you should modify your firewall policies and enable acme-protocol connections from the Internet to your servers. The connections in question are only one specific portion of the ACME protocol, but this is apparently the term that now Palo Alto uses in its configuration to refer to them.

More information about this issue can be found by searching recent forum topics, with a search like

https://community.letsencrypt.org/search?q=acme-protocol%20firewall

13 Likes