Problem about the Check Point firewall access and Let's Encrypt

Hi Sirs,

I have a https website in external network and I cannot open this website from the client computer in the internal isolated network. But I can open this website from the external network like connecting wifi.
The IT guy said that have closed all ip and port in the internal, just only open 443 for specified IP and FQDN. Whether firewall need to open other port or access other IP or FQDN?

Thanks

From the external side:
It depends on the authentication method chosen for cert renewals.
If you choose HTTP, then you will need to allow HTTP access to your server.
If you choose DNS, then LE will only need access to your public DNS zone.
Which client did you use and which authentication method?

From the Internal side:
You probably only need HTTPS access.
[but that depends entire on your use - which ports will you be using the cert on?]

1 Like

I think @percy682 might be asking about trouble accessing an existing site that is using a Let’s Encrypt certificate. Is that right?

I suppose it’s possible that your browser is failing to connect because access to the Let’s Encrypt OCSP server is not permitted by the firewall (port 80), if the site is not using OCSP stapling. But browsers are not really meant to fail to connect entirely if OCSP URL is blocked.

Hard to say for sure and without a screenshot of the error.

1 Like

Hello rg305,

First, thanks for your reply. About the website , which is created in the amazon platform.
I just would like open this website in the internal isolated network. Because IT just allow one policy( 443 port for letsencrypt.org) and the others are all closed. I am not sure if firewall(check-point) need to open something IP or FQDN?

Sorry that I am beginner about the LE.

I’m sorry I don’t think I understand:

1 Like

Hello _az,

Thanks for your reply.
The external website is made from other guy and I cannot got any information about how to create cert from him.
The chrome browser shows CA cert cannot be trusted.

Thanks

Hmm, maybe a firewall MITM is replacing the certificate.

If you click on the NET::ERR_CERT_AUTHORITY_INVALID text, some more info should show up. What does it say for Issuer?

The issuer is website’s name not DST ROOT… or LE.

But the browser does’t be still trusted and unsafe.

Man @rg305 you had it exactly right the entire time. Sorry :frowning: .

@percy682 if you want to issue a trusted certificate for this internal domain, one way is to use DNS authentication via NS1. Let’s Encrypt can verify control of the domain by checking a TXT record on the external side, and this will give you a certificate you can use on the internal side. No inbound firewall rule is required, only outbound to acme-v02.api.letsencrypt.org:443 and also to NS1 API.

If using Certbot, you can use the NS1 plugin: https://certbot-dns-nsone.readthedocs.io/en/stable/

Otherwise, for HTTP authentication, you must have a public HTTP server for the domain.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.