from Lemmchen@feddit.org to selfhosted@lemmy.world on 15 May 20:14
https://feddit.org/post/29898434
Recently I’ve installed luci-app-banip on my OpenWrt router and blocked most countries from accessing my services on my network. Not seeing why I would want any of that traffic I also blocked the whole of the ARIN registry, responsible for IP addresses from Canada and the United States.
Fast forward a few weeks and my certbot renewals fail with the following error: Failed to renew certificate enter.domain.here with error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)
Confused af I start looking for solutions and as so often only find useless or completely ridiulous solutions (lowering my MTU to 1300, what? WHY?). Finally I find some enlighted figure that says they recently enabled a blocklist for certain countries and that was the issue for them.
Now I make the connection to my use of banIP, re-allow the USA and my cert renewals start working again. Hooray!
However, there are two things bothering me:
- Why would such a block even interrupt my renewals? I’m using DNS challenges and the ACME servers should only check the DNS entries, not where those entries actually redirect to. The DNS server/root isn’t in my home network, so isn’t affected by any firewall shenanigans I do here.
- How can I make an exception for the Let’s Encrypt ACME servers while blocking the rest of the ARIN IP space?
I see there’s the option for ASN selection and external allowlists:
Does anybody have an idea on how to configure this so that Let’s Encrypt continues to work without compromising on my network security?
(Edit: And just for clarity, I do not live in the US or anywhere on the American continent.)
threaded - newest
Forgive my ignorance as I am very new to networking. Does it not look like it is the other way around? Your certificate manager tries to connect to Let’s Encrypt and fails? Even with DNS challenges, your certificate manager has to tell Let’s Encrypt to check your DNS records somehow.
Outbound traffic has never been blocked, so it’s not a matter of me or my “certificate manager” being able to reach Let’s Encrypt.
are you using external DNS hosting? is it in a (now) blocked country? if so, then your local certbot is unable to update the DNS server records (return traffic from your DNS host is being blocked by your iptables/nftables config).
yeah, that would suggest an https renewal method. had you previously configured web server renewal at all before switching over to DNS? any other suspicious notifications in the logs?
edit: in thinking about this a little more… the renewal has to be initiated by your host, and that is likely done via https (you talk https to the acme server and tell it you want a renewal by DNS). so, if you are blocking the acme servers then the same issue applies - no return traffic.
I’ve been using DNS challenge for this domain from the start. I’m not sure what you mean by external DNS hosting. The domain is from netcup, the cerbot host runs in my local network (as does the HTTP server that the domain points to).
Netcup is a German hosting company, I live in Germany, inbound traffic from Germany is NOT blocked on my router, outbound traffic isn’t blocked at all.
@Lemmchen The letsencrypt acme server IP addresses aren't published and rotate frequently to prevent mitm attacks near the source. Placing them on an allowlist is not the solution you're looking for.
What is, then? Do they provide European ACME servers I could use instead?
@Lemmchen Only open the port when you're expecting an acme verification. Or do DNS-based verification.
That’s the thing. I am doing DNS challenges. I’m using a certbot plugin for my DNS provider (github.com/coldfix/certbot-dns-netcup) to automatically have my DNS entries set up for it.
@Lemmchen Then the acme verification is hitting your provider's DNS servers (or rather, one of the DNS servers listed as authoritative with your registrar) and the verifier never needs to hit your infrastructure directly.
Unless you're hosting your own DNS and for some reason want to apply a blocklist to that.
That’s what I don’t get. Firewall up, renewal timeout. Firewall down, renewals work just fine. This shouldn’t happen for DNS challenges, but for some reason it apparently does.