Second validation was failing due to my firewall

Hi there. We recently discovered that our AutoSSL (that was functioning perfectly for years) started to alert us of errors, specifically on the second validation to the acme txt dns.

Anyway, after some digging and similar posts here found out that it could be two options:

1.- The 2nd validation servers had problems
2.- My server's firewall is blocking those incoming connections.

So made a quick test, turned off firewall on my box and AutoSSL completed successfully.

I need to whitelist these Second Validation servers on my Firewall, just wondering if someone here can help me with the IP's of such servers or their range.

Im trying to find the blocked ip's on my firewall but its been a pain in the rear to find them.

Thanks for reading!

1 Like

It has been discussed to death here for years and they takeaway is always the same. The policy is not going to change.

Let's Encrypt does not

publish a list of IP addresses we use to validate, and these IP addresses may change at any time.

3 Likes

Ohh ok, I get it makes sense. Thanks for the head's up.

Uhmm wondering how can I fix this.... its like finding the needle in the haystack!

2 Likes

The easiest way is to allow unfiltered access to port 80. If you will not or can not do that, you will need to change to DNS-01 validation. As long as you are not geoblocking DNS queries to your authoritative nameservers, that method should work.

2 Likes

Just adding on to @linkp comment is this Let's Encrypt post

2 Likes

@linkp @MikeMcQ Looking at

OP is already using the dns-01 challenge?

3 Likes

Oh, maybe so ! :slight_smile: I often don't read such things that literally ...

3 Likes

Wow. I didn't catch that because, who geoblocks blocks DNS queries to authoritative nameservers?

3 Likes

Yeah, that's the only part which would be a reason to believe OP is not using the dns-01 challenge: who geoblocks their DNS server? :man_shrugging:t2:

3 Likes

Well, I thought AutoSSL only had limited support for DNS Challenge which did not include self-hosted DNS. So, there's that too. I could be remembering wrong though.

2 Likes

That's also something I considered, but don't know for sure. And was too lazy to doublecheck.

1 Like

Not this one:

1 Like

Well, "that box" could also be the authorative nameserver :wink:

But I agree, it doesn't sound very probably, but OP does mention "acme txt dns", whatever that may mean besides the dns-01 challenge :slight_smile:

2 Likes

Then it would also have to have sole authoritative control of that DNS zone.
That is usually done with [at least] two distinct systems.

2 Likes

Usually yes, but not always :slight_smile: (For hobby/home situations or something similar..)

1 Like

It is disturbingly common to see ns1 and ns2 both resolve to the same IP in cheap shared cPanel hosting setups. I have no idea if that is the case here.

2 Likes

Yes, why not? I mean, we have five cars in my house and we all share one single spare tire!
ROFLMAO

1 Like

Some people do, but...

LetsEncrypt follows CNAMES, so you can delegate a DNS-01 challenge from a public authoritative server onto a semi-public server. I do that with acme-dns challenges, and use hooks to open/close the firewall during certbot operations.

2 Likes

How would I get the CNAME response, if my request was geoblocked?

1 Like

No, the semi-public server to which the CNAME points would be (geo)blocked.

2 Likes