Pre-hook not running early enough to modify firewall

Hello, my server has an iptables firewall setup to NOT allow any outbound http/https requests to the internet under normal operation. I am trying to setup a pre-hook/post-hook that will temporarially open this access to that certbot can renew, however the pre-hook doesn't seem to be invoked early enough in the process to allow this to happen.

Certbot is attempting to connect outbound PRIOR to invoking the pre-hook.

Any thoughts on how to fix or workaround this?

I ran this command:
certbot renew

It produced this output:
Attempting to renew cert (XXXXXXXXXXXXXXX) from /etc/letsencrypt/renewal/XXXXXXXXXXXX.conf produced an unexpected error: Requesting acme-staging-v02.api.letsencrypt.org/directory: Connection refused. Skipping.

The operating system my web server runs on is (include version):
Debian 10

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Yes, none of the hooks in Certbot will run early enough to be able to solve this. Sorry!

I assume that Debian 10 uses systemd for its Certbot cronjob, so what you can do is use a systemd override with ExecStartPre to unblock outbound access.

You'd do something like:

sudo systemctl edit certbot.service

make the contents

[Service]
ExecStartPre=/script/to/unblock/outbound/access

and then

sudo systemctl daemon-reload
6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.