Skip to main content

Whitelisting Let's Encrypt

Comments

6 comments

  • HostNoc
    HI Have yo tried remove the current Cert and then ask for renew certificate? REgards HostNoc
    0
  • ejsolutions
    If you don't use the DYN_DNS function for your own IP, then you might be able to leverage it, to whitelist letsencrypt - I'm not sure if it'll only map a single IP, from my memory.
    0
  • cPRex Jurassic Moderator
    According to Let's Encrypt themselves, there's not a good way to whitelist them since they don't use a specific IP range they make public:
    0
  • ejsolutions
    .. they don't use a specific IP range ..

    Hence trying to leverage DYN_DNS, which is typically set to update every 10mins. With hindsight, it's a "shot in the dark" 'cos they use various subdomains for verification - though one could try listing some of them. Note: I wouldn't use this technique personally because I always whitelist/ignore my dynamic home IP, using DYN_DNS. On one particular server (soon to be decommissioned) I need to disable CSF briefly, in order to grab the SSL validation - not ideal at all. ;) OP may be able to use a different validation method, such as DNS, which might be worth investigating/considering.
    0
  • GoWilkes
    I removed CC_ALLOW_FILTER last night, and today it successfully renewed. So it does appear that Let's Encrypt was trying to connect from a non-US IP address. I found this from a few weeks ago, and at that time it appears that the connection was coming from the Netherlands:
    0
  • ejsolutions
    I found DYNDNS

    Yup, that's the one: I have a bad habit of inserting the underscore due to other features using that character. ;) I get as much scan,scam,spam from US as from many other locations: unfortunately, most of my clients need access to/from the USA. NL is a common source of the same, though I also have a few servers there. My Australia-only client was easier to block swathes of the World. ;) Rather than a country only approach, I use IPset, most of the pre-configured CSF blocklists and a sizeable comma-delimited country list, such as CN,TW,TH,BR,AG,NG,MD,IL,PK,IN etc. Depends on your environment/market though. Modsecurity and netblock port scans give me a pronounced reduction in Load. Good luck in getting a solution. :)
    0

Please sign in to leave a comment.