Why does certbot renew work with restricted IPs

How is certbot renew able to obtain a certificate when I have an Apache directive like this:

<Location />
    <RequireAll>
        Require ip 192.168
    </RequireAll>
</Location>

This should and does block external source IPs, verified from a few public VPS instances.

Does the acme server combined with certbot cache results for a certain period before doing the actually renewal with a new http challenge? It reports success both with a --dry-run and with --force-renewal.

Note: I'm wondering WHY it DOES work...it shouldn't since I have no other challenges configured and external source IPs are blocked.

1 Like

Well what if the DNS-01 challenge is being used?

1 Like

? I don't have my DNS configured for dynamic updates. Note: I'm not asking HOW to make it work, I'm saying it DOES work and it shouldn't because I have all IPs blocked and other public requests are respected and blocked as far as I can see.

2 Likes

Correct, I was merely speculating as I do not know how Certbot code is handling all the different cases that the code path may possibly be being used by more than one Challenge type.

2 Likes

ah yes, okay. I do appreciate the response.

2 Likes

HTTP authentications are cached for 30 days for a specific domain and account.

So, if you got a valid auth recently you won't see a new challenge. Could that be it?

4 Likes

absolutely! I just got the initial cert this morning, so this makes complete sense! I was testing a few other things out, so clearly I have more reading to do!

It seems like with -v enabled with Certbot, it should provide some indication of using cached validation.

Thanks!

3 Likes

What plugins/modes do you use to get the certificates?

IIRC, Certbot ensures Apache runs with specific rules to ensure the challenge can be read (see certbot/http_01.py at master · certbot/certbot · GitHub)

Edit: I believe Certbot is overriding your restricted IPs to ensure the challenge works, so the IPs are not actually restricted for that route.

6 Likes

Yes, I'm using the Apache plugin. You're right about the source code too. I guess there are multiple factors at play here. That also correlates well with my experience since another server has renewed fine after many months with similar restrictions in place.

Thanks a lot for the insightful replies!

5 Likes

I do hope you are using the staging environment for all your testing :wink:

And, yes, all bets are off when using such plugins [that alter the confgurations].
Try using --webroot authentication instead.

OR

If I understand your purpose, you could just put a proxy in front of it and only proxy the challenge requests.

5 Likes

Yes, I was using --dry-run.

I have the IP restriction to limit login access while I test changes or developments. No need to proxy. Now that I know about it, this feature to remove restrictions from the virtual host is good, but so is documentation :stuck_out_tongue:

5 Likes

Just to be clear, only port 80 would "need to be proxied"
[to enforce such IP restrictions]

3 Likes

If I remember the details correctly from the ACME flow, Certbot doesn't know for sure whether the validation is cached. It could sort of figure it out (by observing that no challenge was required for proof of control of a particular name), but it's the certificate authority that's making that choice and determination, and the certificate authority isn't proactively sending a message saying "your authorization was cached".

To be more precise, the "cached validation" isn't something that's stored client-side by Certbot, but is more like an entry in Let's Encrypt's certificate authority databases. Certbot does have a private cryptography key representing an account that the user has with Let's Encrypt, but Certbot doesn't directly know exactly what permissions or authorization that account possesses at a given time. It can only observe the behavior of a certificate authority on particular occasions.

(Edit: I agree with the idea that this would be useful information for users to know! I'm just mentioning that I think it would be challenging, no pun intended, to provide that information in the current architecture.)

5 Likes

yeah, I would even expect that kind of notification without -v but I like technical details (without debug dumps) in general. Thanks for the input, you've given me some clues on what and how to look for other details.

2 Likes

Roger that. I'm just getting back into the game after a few years on a break. Thanks for the tips!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.