There is an issue currently between Let's Encrypt's CRL and Zyxel, either a global problem, or maybe local to Switzerland, but not just a local problem on our environment. We experience it from many different networks. The commonality is there is Zyxel involved somewhere in the chain, which blocks the CRL for some reason (false positive?).
Zyxel is blocking such CRL resources, e.g: http://r10.c.lencr.org/76.crl
Did anyone else report this problem?
My domain is:
- Not relevant to the problem
I ran this command:
curl -O http://r10.c.lencr.org/76.crl
It produced this output:
"Blocked"
My web server is (include version):
- Not relevant, I am trying the command line (Zyxel firewall is involved and part od the problem!)
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
- Not relevant to the problem
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1 Like
p.s. we have already reported the problem to Zyxel, but we are a small company. It would be much more impactful if the problem would be reported directly from Let's Encrypt as well.
1 Like
Does the firewall allow any other outgoing http (not https) requests? If not then there is likely a single rule blocking outgoing TCP port 80. If it's running some sort of dynamic protection (like an allow list/blocklist) presumably you can bypass that in the settings.
I presume the Zyxel has some sort of URL tester in it's interface and that's where it says "blocked" because that doesn't sound like a very Curl kind of error message (maybe it is?). Note that the "user agent" can matter for request filtering tools.
2 Likes
Hello Christopher,
Thank you for your response.
Does the firewall allow any other outgoing http (not https) requests?
The firewall allows other traffic, it seems to be only one rule blocking the CRL URL.
It was not the case before, this started 2 days ago, or at least we were first affected 2 days ago.
If it's running some sort of dynamic protection (like an allow list/blocklist) presumably you can bypass that in the settings.
It shows it as a "threat filtering". However, this firewall is installed at different customers of ours, where we do not have control over it. We are just a SaaS provider.
I presume the Zyxel has some sort of URL tester in it's interface and that's where it says "blocked"
Yes, you are right. Just opening this file in the browser (e.g. Chrome) shows that it is blocked. I sent CURL just as an example. The result seems to be the same, regardless of the client used.
As soon as I change the network, and with that, the Zyxel firewall, it works again.
Regards,
Boris
1 Like
True. Good step forward.
I believe the ball is in their corner now, and we can close this one.
Thanks for the prompt feedback.
2 Likes
Yes, we got a few reports in yesterday about this and I reached out to Zyxel.
Their URL checker (Threat Intelligence | Zyxel) no longer shows it as malware, so I assume that means the change is rolling out.
5 Likes
