Trend Micro Blocking AutoRenewal

Hello All,

Currently trying to create a proof of concept for my website using Letsencrypt and Win-Acme. I noticed that the cert renewal randomly gets stopped by my company's AntiVirus[Trend Micro]. They are blocking it with the reason CnC callback. After talking with my firewall/AV admin they state that they can whitelist the Win-Acme application but would need a list of IP Addresses. Can you guys tell me if the list of IP Addresses that are trying to connect here is from LetsEncrypt or if the application may have been compromised somehow?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:austin.martinrea.com

I ran this command: Win-Acme: wacs.exe --source iis --siteid 2 --installation iis

It produced this output:
Plugin IIS generated source austin.martinrea.com with 1 identifiers
Plugin Single created 1 order
Renewing [IIS] cbwebsite, (any host)
Downloading certificate [IIS] cbwebsite, (any host)
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [IIS] cbwebsite, (any host) @ 2024/8/12 in store WebHosting
Installing with IIS...
Updating existing https binding austin.martinrea.com:443 (flags: 96)
Committing 1 https binding changes to IIS while updating site 2
Uninstalling certificate from the certificate store
Removing certificate [IIS] cbwebsite, (any host) @ 2024/8/10 from store WebHosting
Next renewal due after 2024/8/13
Renewal for [IIS] cbwebsite, (any host) succeeded

My web server is (include version):
IIS Windows 11 23H2

The operating system my web server runs on is (include version):
Windows 11 23H2

My hosting provider, if applicable, is:
Self hosted

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Win-Acme 2.2.9.1701

Hi @ALee,

What IP addresses does Let’s Encrypt use to validate my web server?
Let’s Encrypt does not publish a list of IP addresses we use to validate,
and these IP addresses may change at any time.

Hi Bruce,

Got ya! Could you give me the list of URL's that my team can whitelist?

PS thanks for your quick reply!

For incoming HTTP requests to validate control over the domain, you need to allow requests for the /.well-known/acme-challenge path.

This FAQ may help explain some of what's going on, with Let's Encrypt needing to check from multiple places that regularly change:

And possibly
A well-known URI is a Uniform Resource Identifier for URL path prefixes that start with /.well-known/ .

Hi All,

Thank you for the information! Other than the URI whitelist is there anything else that should be whitelisted? For example, if we use Win-Acme we for sure need to whitelist that file/path correct?

All ACME requests should use: /.well-known/acme-challenge

So, yes; Win-Acme should also use that path.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.