Whitelisting Let's Encrypt
I'm using CSF as my firewall.
I have a hosting client that has their domain and email with me, then the A record for the domain points to another provider for specialized hosting.
That host is having an issue getting their SSL cert from Let's Encrypt to renew. They think that the issue is on my end since none of their other clients are having a problem.
The Sectigo cert for their email on my end renewed just fine, so it's not a DNS or server issue. The only other thing I can think of is that maybe the firewall is blocking it? I block non-US IPs via CC_ALLOW_FILTER, so maybe that's causing a problem?
Any suggestions on how I might whitelist them to prevent that?
-
HI Have yo tried remove the current Cert and then ask for renew certificate? REgards HostNoc 0 -
If you don't use the DYN_DNS function for your own IP, then you might be able to leverage it, to whitelist letsencrypt - I'm not sure if it'll only map a single IP, from my memory. 0 -
.. they don't use a specific IP range ..
Hence trying to leverage DYN_DNS, which is typically set to update every 10mins. With hindsight, it's a "shot in the dark" 'cos they use various subdomains for verification - though one could try listing some of them. Note: I wouldn't use this technique personally because I always whitelist/ignore my dynamic home IP, using DYN_DNS. On one particular server (soon to be decommissioned) I need to disable CSF briefly, in order to grab the SSL validation - not ideal at all. ;) OP may be able to use a different validation method, such as DNS, which might be worth investigating/considering.0 -
I found DYNDNS
Yup, that's the one: I have a bad habit of inserting the underscore due to other features using that character. ;) I get as much scan,scam,spam from US as from many other locations: unfortunately, most of my clients need access to/from the USA. NL is a common source of the same, though I also have a few servers there. My Australia-only client was easier to block swathes of the World. ;) Rather than a country only approach, I use IPset, most of the pre-configured CSF blocklists and a sizeable comma-delimited country list, such as CN,TW,TH,BR,AG,NG,MD,IL,PK,IN etc. Depends on your environment/market though. Modsecurity and netblock port scans give me a pronounced reduction in Load. Good luck in getting a solution. :)0
Please sign in to leave a comment.
Comments
6 comments