Reissue of certificate fails

MikeMcQ · June 23, 2022, 6:06pm

I wish I'd thought of that

Osiris · June 23, 2022, 6:37pm

A clear case of "TL:DR".

MikeMcQ · June 23, 2022, 6:39pm

Yes, I am not known for brevity

Jabbs · June 24, 2022, 8:05am

Quick update. Sorry it doesn't yet provide a solution.

Just thought I'd say that the curl results information has been passed to the parent company network team.

Also, is it possible to edit the screenshot in the beginning as the network team are concerned that private IP is shown...

JimPas · June 24, 2022, 2:42pm

Done.

Jabbs · June 24, 2022, 2:53pm

Thank you. I'm on a call now so will update later

Jabbs · June 24, 2022, 6:10pm

Firstly, may I thank you all in this thread who have contributed. The solution was indeed to create a rule on the Palo Alto firewall allowing acme-protocol to pass through. There were one or two other issues I think in the firewall which confused things for a while.

But ulitmately it was acme-protocol. Allow from public IP to internal IP. Initially this had been set to outbound only. Once it was set to inbound also, the site auto-renewed the certificate before I could make another manual attempt.

MikeMcQ · June 24, 2022, 6:38pm

Many thanks for confirming Palo Alto firewall. Very helpful.

nanana · June 30, 2022, 8:53am

@Jabbs I am having a similar issue and have confirmed that the firewall is Palo Alto Networks.

You said acme-protocol but elsewhere I have seen acme-challenge as what needs to be allowed.

Can anyone (e.g. @MikeMcQ ) provide advice that I can pass on to the IT/network person I'm talking to about what exactly to do in the PAN firewall settings?

They seem to be focused on the outbound connection to acme-staging-v02.api.letsencrypt.org but I guess that's not the issue.

They have also said:

The SSL and URL filtering had been allowed on the firewall. We have a dynamic DB for URL filtering which is updated by external vendor. But acme traffic had only triggered the low risk alert so far.

Thanks.

Jabbs · June 30, 2022, 9:18am

Hi @nanana,

Unfortunately, I was only sending and receiving feedback from the parent company's security team.

I believe that they set up an 'application' inside Palo Alto, and yes you could be right, it may in fact have been acme-challenge for the name of the application.

You definitely need inbound and likely outbound rules to ALLOW acme-challenge.

Sorry I can't be any more help!

Jonathan

MikeMcQ · June 30, 2022, 12:52pm

@nanana I will reply shortly on your original thread

nanana · June 30, 2022, 10:35pm

I appreciate the response @Jabbs !

In the interest of assisting others who stumble upon this thread, I think it was indeed acme-protocol that needed to be allowed. At least that is what our network people told me they did.

With that, all resolved now for me. Hooray!

Jabbs · July 1, 2022, 8:12am

Fantastic!

system · July 31, 2022, 8:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.