What ip address do i need to put in geoblock

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:support.portagemi.gov

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @njohnson01 ,

The best option would be not to geoblock.

Let’s Encrypt does not publish IP Addresses as they may change at anytime.
Presently (again subject to change at anytime) you need to let USA, Sweden, and Singapore through the firewall.

3 Likes

i can not just un geoblock as we are a government agency

Let's Encrypt does not publish the IP addresses of its auth servers. The IP addresses often change from one challenge to the next.

I don't see any problems connecting to your domain. I can even connect using HTTPS and see your (expired) Sectigo cert.

Sorry, I now see you allow only US sources to connect to you. Bruce already described the countries that Let's Encrypt currently uses. These may change anytime.

Also, other Certificate Authorities will need to be doing similar things as standards are changing. But maybe one of them will work now. You could also just renew your paid Sectigo cert. The validation process may be different.

Another option is to use a DNS Challenge. These are often harder to setup and require your DNS Server to accept queries from non-USA origins too. But, this is often the case.

Below is a very good post describing the validation and choices

4 Likes

Possibly use another free ACME CA, might be your best choice.

Edit:
Here https://www.login.gov/ also a USA government agency seems to have no trouble using Let’s Encrypt. You might ask them about the firewall setup they are using; as you do work for the same employer internal coordination and communication I would expect to be quick and efficient for you.

And here Website Uptime and Availability of support.portagemi.gov at 11 Jun 2024 05:09:42 AM : Site24x7 Tools shows Sweden and Singapore being blocked, thus will fail.

Please also consider using the DNS-01 Challenge instead of the HTTP-01 Challenge as the validation only needs to communicate with the domain’s Name Servers.

4 Likes

Of course, if you self-host your own 'acme-dns' you still want to geoblock that as much as you can. Just hygiene.

Your registered domain portagemi.gov uses a current Let's Encrypt cert

Maybe check with whoever manages that server and see what they do

4 Likes

I have it self hosting right now. still trying to find out what to do about a SSL that does not need geo block disabled to verify the cert

Can you update the DNS records for that domain? You could use a DNS Challenge. Although, I looked at your DNS providers website and don't see that they offer an API to update their records.

So, you would be stuck doing a manual cert issuance every 60 days or so. We don't recommend manual processes.

Maybe the people who manage the base name have figured out a way to use the DNS Challenge. Do you know who they are?

Do you have a way to temporarily disable the geo block? Is it possible to use a Certbot pre-hook and post-hook to disable and enable it just for the cert issuance? That usually only takes a few seconds and is only needed when getting a cert so about every 60 days.

Of course, you could always try a different Certificate Authority or even a paid certificate. But, as noted in the Multi Perspective thread I linked to other CAs will be doing similar validations in the future (and some do today).

This might also be helpful to read

4 Likes

Welcome to the Let's Encrypt Community, @njohnson01! :slightly_smiling_face:

You could put a higher exception in your firewall rules that allows all traffic only to the acme-challenge path for HTTP-01 challenges. Not like you face much, if any, risk from that.

3 Likes

Hi @njohnson01,

Also this government agency might be helpful for you

Their certificate

And

And shown here SSL Checker

Which is this certificate crt.sh | 13286139848

4 Likes

It would be interesting to get that agency to comment on the geoblocking concern!

They're not in charge of everything at all levels of government, but their opinion may carry a fair amount of weight.

4 Likes

If you have to geoblock I would suggest geoblocking specific countries. I'd guess that ones you're most likely to block (from the US) are also least likely to become Let's Encrypt validation perspectives.

2 Likes