Good morning,
In the process of renewing my SSL certificate, I noticed that it gave me an error, indicating that there was a problem with the second validation.
I have verified that if I disable threat prevention on my firewall, the renewal is done correctly.
Is there a list of Let's Encrypt servers with their IPs?
Greetings and thanks.
Jordi.
No, there isn't. Please see the following FAQ entry: FAQ - Let's Encrypt
You may also find this FAQ useful:
Thanks for your reply!
Then, my "solution" is disable and enable Threat Prevention in FW every time, I need to renew the certificate.
Really, ¿ There is no solution to this problem ?
Thanks.
Jordi.
Well, a lot depends on what exactly that "Threat Prevention" setting is doing, and if there are any other settings for it that you can configure besides turning it on and off.
For instance, if all that's running on port 80 is a redirection to https and the challenge response for the Certificate Authority, generally one can just keep port 80 open to all. Or, you might be able to exclude the /.well-known/acme-challenge path from being blocked.
If your DNS server is configured to be more open than your web server, you might be able to switch to the DNS challenge.
Or, yes some people configure hooks in their ACME client to make their firewall less restrictive while renewing a certificate and set it back after the challenge is completed.
As the FAQ I linked says, the core of it is that Let's Encrypt needs to confirm that you control the domain name as seen by everywhere on the Internet, so you need to prove control over it as seen from everywhere on the Internet. Generally firewalls should be able to be configured to allow for you to prove control while blocking the things that you want to block.
@petercooperjr I create a new configuration in my FW. I think, that the "problem" may be resolved.
Thanks for your help!
Jordi.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.