Sophos Country Blocking blocks LetsEncrypt

On Sophos Firewalls, actually SG firewall with version 9.x with enabled country blocking feature: At various sophos community articles the suggested way to get LetsEncrypt working is to exclude the following DNS Group's from the country blocking feature. (In Sophos World, "DNS Group" is a dns entry with multiple ip's if you dont know).

DNS Groups

For Services

  • HTTPS
  • HTTP

But the verifications done by let's encrypt servers are still blocked. It seems that there are connections from various amazon cloud servers in addition.

So my question is:
Does somebody know the "real-list" of all dns addresses of used sources from letsencrypt verification process?

1 Like
2 Likes

The common FAQ did not help me. I already know:

But i'm searching for the DNS Names, IP-Ranges, Network IDs ...
Everything i can transform into a rule for the firewall. I cant disable the whole feature because of Let's Encrypt.

1 Like

Let's Encrypts validation servers check from many places on the Internet because they need to validate that you own the name as seen from all vantage points on the Internet. They do not and will not publish network ranges because where they check from constantly change.

You need to either allow all traffic from everywhere for HTTP (at least while running renewals; some people go so far as to script opening up the firewall at the start of renewing and closing it up again afterwards); or switch to a DNS-01 challenge (where you automate updating your DNS, and assuming you allow access to the DNS server from everywhere even if you don't want to allow HTTP from everywhere).

3 Likes

Okay that's an answer. Sadly a less good one. This really means, I have to drill a big hole in the firewall to get Let's Encrypt working.

However, thanks for the answer!

2 Likes

Yes, but no.
The (not so big) hole only needs to be for HTTP (if you do HTTP auth and don't redirect the challenge requests to HTTPS).
If you do DNS auth, then there is no HTTP hole required.

2 Likes

Okay... yes we have a http to https redirection active in the firewall. Okay that means i can create an https exception for our target ip's without http. I will verify that.

As far as i saw, all connection came from Amazon AWS servers from the US. But that doesnt mean that another connection will come from another aws server location or another cloud provider. So "any" exception for https in country block is needed.

...unless you use DNS validation.

1 Like

My suggestion was to allow HTTP from everywhere.
Handle the authentication requests in HTTP.
Forward all else to HTTPS.
[block any/all countries from HTTPS only]

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.