Public ip to renew certificate for geolocalization

Hi,
i use let's ecrypt services for my certificates.
My security policy need to filter traffic only from italy.
So, to allow the auto-renew of my certificate, i want to filter not for all u.s.a. country, but for specific public ip from u.s.a.
Is it possible hava a spefic list?

Thank you

1 Like

No. Please see the appropriate FAQ entry here: FAQ - Let's Encrypt

5 Likes

You could use dns-01 validation (as long as you don't firewall your authoritative nameservers as well), or you can open and close the filter with the proper hooks --pre-hook and --post-hook.

5 Likes

Or configure your firewall to accept requests for /.well-known/acme-challenge/ regardless of the source.

6 Likes

OR
Accept all* HTTP requests and just redirect them all to HTTPS [which has the country restrictions]
All* - except challenge requests [to /.well-known/acme-challenge/]

5 Likes

IP firewall implementations are rarely able to do that. They're usually running on the kernel level and are really only concerned with IPs and Ports. You can't analyze traffic on that layer to block/allow, because the url might not be in a given packet.

It's possible the OP is running their IP filtering rules in system software and can enable url filtering there, like a proxy or gateway daemon, but that would be rare and really inefficient compared to kernel level routing/blocking.

4 Likes

Indeed, at least on Linux (don't know about other *nix), iptables is actually part of the kernel.

An application-level filter needs software like haproxy.

5 Likes

If you google on Deep Packet Inspection or DPI, you can find a few DPI modules for netfilter.

4 Likes

"Come to the dark side, we have DPI!"

:smiley:

(It sounds enticing, tho: I wonder if I can just make it drop any connection that does not include a proper SNI)

3 Likes

@jvanasco, aren't firewalls capable of allowing all HTTP (port 80) and geoblocking on HTTPS (port 443)?
[The forwarding can then happen on a web server (as usual)]

3 Likes

That's why I said "rarely able". It's possible to do DPI or even build in a regex plugin to most kernel routing systems - that isn't really a widespread production practice yet though, due to both performance and dev/ops management concerns.

From a tech standpoint, that's a standard pattern that is easily supported. On most Linux you can use the iptables userland application to manage the kernel firewall rules by enabling/disabling ip addresses (or ranges) for specific ports. I often use pre/post hooks in certbot to load/unload these rules for acme-dns's DNS and web ports.

When people are doing geo-ip based restrictions due to a "security policy" like the OP requested though, there is generally a corporate mandate to drop all traffic outside of a local region – and that decision was made at a much higher organizational level than the person responsible for renewing a certificate.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.