Renewal problems with Multi-Perspective Validation - security issue

We have an infrastructure service we open for certain clients.
These clients IP addresses are opened and NAT'ed in our firewall.
As domain name we use a DDNS FQDN which is signed by let's encrypt.
This is because the clients need a certified FQDN to access the server.
This all worked fine that way until Multi-Perspective Validation was introduced.
Ever since, we need to open the firewall for the renewal process for worldwide http access which is a security issue on our side.
Is there a way to overcome this issue?

One solution would be to use a deep packet inspection firewall to have a separate rule for access to the /.well-known/acme-challenge/ path.
Another option is to use the DNS challenge.

3 Likes

Hi @skuers,

As @Osiris said, switching to DNS-01 challenge may be the best solution. With DNS-01, ACME clients themselves no longer need to be exposed to the Internet to obtain certificate. However, depending on your DNS setup, this challenge type may be... challenging to use :wink:

Do you limit access to your service on both port 80 (HTTP) and 443 (HTTPS)? If port 443 is unrestricted, you may try to use TLS-ALPN-01 challenge - but in that case, also read Best Practice - Keep Port 80 Open - Let's Encrypt (quite often the same software handles HTTP and HTTPS traffic, which means that keeping HTTP open only to serve redirect to HTTPS does not increase attack surface - as HTTPS traffic re-uses HTTP handling logic).

If you restrict both HTTP and HTTPS and whitelist Let's Encrypt validation authority IP address, please note that such setup is prone to break even with single-perspective validation, as Let's Encrypt VA IP may change at any time without advance notice. If you do, you should switch to DNS-01 (or, if your firewall is capable enough, follow @Osiris suggestion and create exception for HTTP/HTTPS traffic targeting /.well-known/acme-challenge/ path).

3 Likes

WOW! First of all, let me thank you. I'm really thrilled how fast my problem got answered after I literally searched for Month before posting it here... I definitely should have posted this earlier :slight_smile:

I'm currently investigating if a Zyxel USG 110 is capable of doing such a specific DPI - because then I would prefer this way.

I'll let you know and mark the answers as solution as soon as I figured it out.

Thanks again!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.