Server Whitelisting for CA Validation

I’m not used to this kind of issue so the question might look stupid, but so far I’ve been unable to find an answer around the web so here I am.

I recently had an issue in which a client (a remote server, not managed by me) was unable to connect to our server.
We are protecting the connection with a valid and working Let’s Encrypty certificate.

The first error was about a connection timeout “context deadline exceeded (Client.Timeout exceeded while awaiting headers)”, but the underlying error was “x509: certificate signed by unknown authority”

They found out that allow the communication had to whitelist some IPs:

  • (Microsoft)
  • (Microsoft)
  • (Level 3 Parent, LLC)

The IT guys who manage the client server don’t like the idea to whitelist IPs though, so they asked if it’s possible to have some FQDN to whitelist.

The question is:
Is there a series of FQDN (ideal option) or IPs to whitelist in order to allow the CA authority to be verified?

1 Like

I assume you are already obtaining certificates successful so you aren’t talking about the ACME client’s validation.

The client validates the certificate against it’s internal certificate trust store. There isn’t any need to whitelist any servers except your server. You should check the client’s certificate trust store and make sure DST Root CA X3 along with ISRG Root X1 appears. I would then check your server to ensure you are sending the intermediary certificate (That’s one thing that I thought of that could cause this issue.

There’s also the possibility that a MITM situation is happening, either with some network proxy or antivirus. You should check if the certificate the client is receiving is the same as what your server sent.

EDIT: I guess you may need to allow communication to the Let’s Encrypt OCSP responder if your server doesn’t properly staple responses. But clients shouldn’t hard fail if this doesn’t work.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.