Solution for Orgs Who Use Restrictive Firewalls

My organization blocks most of the world alongside a fair number of organizations since there is zero reason to have that traffic hitting our servers, including authoritative DNS servers. We no longer have millions of attacks aimed at our network infrastructure from a single authoritarian regime each month.

I am hoping to learn of some well thought out suggestions that someone for how I might be able to adopt Let's Encrypt where both the HTTP and DNS challenges fail due to a restrictive firewall. I saw where atleast one person asked about CIDR blocks as a potential compromise, but she never did receive a helpful response?

In order to ensure that your system actually controls your name as seen by everywhere on the Internet, a CA has to check how that name works from everywhere on the Internet. Even if you're only expecting traffic from a small region, the certificate that a CA gives you is valid globally.

You've probably seen this already, but all the suggestions I know of are in there:

There aren't many organizations that restrict their authoritative DNS servers, so there might not be a lot of suggestions out there. You best bet may be to see if you can hook the blocking into the hooks for your ACME client so that it allows all traffic only during the time that domain validation is being performed. Or depending on exactly how you're blocking things, maybe you can allow for _acme-challenge TXT records from everywhere even if you're blocking other types of DNS queries.

You could also try using multiple CAs, as they each are probably checking from different places, so it may be that another CA works better for you than another, depending on where they're checking from and where you are blocking. However, the requirements for CAs to add more locations to check from will keep increasing over time.

6 Likes

One should preferably use an application firewall and allow /.well-known/acme-challenge/. You could perhaps internally redirect these requests to a host which is completely cut off from any other system except for the challenge. Same goes for DNS. Possibly use a CNAME to redirect the challenge request to a different hostname in a different zone served by a sandboxed DNS server.

5 Likes

Elaborating on what @Osiris said above:

NEVERMIND MY TEXT BELOW; the next comment by @Nummer378 points out the authoritative DNS server would be blocked and unable to serve the CNAME

You can use CNAMEs to delegate DNS-01 acme-challenge records on your authoritative DNS to a secondary DNS system.
The acme-dns system was designed for this (link to source and overview below). You could either install your own acme-dns on another network (a $5 linode or similar would suffice), or you could use a 3rd party commercial vendor.

I prefer to use a self-hosted acme-dns, and toggle firewall rules so that it is only open to the public internet during certificate renewal.

The same concept could apply to port-80 filtering - the only time the acme-challenge directory needs to be open is during a certificate renewal.

If your firewall is linux based, ip-chains and rules work well. I've posted details on that several times here before, click here for the latest details I shared - one week ago. if your firewall is appliance based, there may be an API or scriptable option.

If you use Certbot, there are hooks to register filewall toggling scripts with. If you use other clients, you can just use a simple shell script that wraps invoking your client with firewall actions. I like to use fabric, a python library that is great for scripting automated tasks.

3 Likes

Yeah but if they block queries on their authoritative nameserver the CA can't read the CNAME itself, so acme-dns won't work in such a restrictive system.

5 Likes

ack, you're right. i'll strike-out the above.

2 Likes

Honestly, blocking authoritative DNS from anyone seems incredibly short sighted. If your organization isn't equipped to protect at least that layer from the unfettered Internet, you'd probably be better off outsourcing that job to a DNS provider that can. There are plenty that handle "millions of attacks" every day without breaking a sweat for for very cheap.

9 Likes

@ILiveInAustin as others have pointed out, you cannot use Let's Encrypt because they, acting as a publicly trusted Certificate Authority, need to check you "control" your domain from multiple geographic locations, which can change. If you block them, then they can't verify you.

You could consider using other CAs but you'll need to speak to them individually to see what their requirements are. You may find you can get the most direct and accommodating support from a commercial CA.

My own suggestion would be to ensure that your authoritative nameservers are hosted in such a way as to safely allow hundreds of millions of requests per month, regardless of where they come from. If that's a concern with your own infrastructure there are several giant cloud providers who can do this for you without breaking a sweat [lol, I just inadvertently copied @rmbolger], at a zero to low cost.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.