Whitelisting Let's Encrypt

GoWilkes

Well-Known Member
Sep 26, 2006
672
31
178
cPanel Access Level
Root Administrator
I'm using CSF as my firewall.

I have a hosting client that has their domain and email with me, then the A record for the domain points to another provider for specialized hosting.

That host is having an issue getting their SSL cert from Let's Encrypt to renew. They think that the issue is on my end since none of their other clients are having a problem.

The Sectigo cert for their email on my end renewed just fine, so it's not a DNS or server issue. The only other thing I can think of is that maybe the firewall is blocking it? I block non-US IPs via CC_ALLOW_FILTER, so maybe that's causing a problem?

Any suggestions on how I might whitelist them to prevent that?
 

ejsolutions

Well-Known Member
Jan 6, 2013
77
32
68
cPanel Access Level
Root Administrator
If you don't use the DYN_DNS function for your own IP, then you might be able to leverage it, to whitelist letsencrypt - I'm not sure if it'll only map a single IP, from my memory.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
According to Let's Encrypt themselves, there's not a good way to whitelist them since they don't use a specific IP range they make public:

 

ejsolutions

Well-Known Member
Jan 6, 2013
77
32
68
cPanel Access Level
Root Administrator
.. they don't use a specific IP range ..
Hence trying to leverage DYN_DNS, which is typically set to update every 10mins. With hindsight, it's a "shot in the dark" 'cos they use various subdomains for verification - though one could try listing some of them. Note: I wouldn't use this technique personally because I always whitelist/ignore my dynamic home IP, using DYN_DNS.
On one particular server (soon to be decommissioned) I need to disable CSF briefly, in order to grab the SSL validation - not ideal at all. ;)

OP may be able to use a different validation method, such as DNS, which might be worth investigating/considering.
 
  • Like
Reactions: cPRex

GoWilkes

Well-Known Member
Sep 26, 2006
672
31
178
cPanel Access Level
Root Administrator
I removed CC_ALLOW_FILTER last night, and today it successfully renewed. So it does appear that Let's Encrypt was trying to connect from a non-US IP address.

I found this from a few weeks ago, and at that time it appears that the connection was coming from the Netherlands:


I block non-US because my sites only target US residents and 99.9% of my non-US traffic is spam, scams, or fraud. This restriction has saved my server from a TON of unnecessary load which makes my sites load faster, so I really don't want to have to remove the setting just for this one thing :-/

Does Let's Encrypt always come from the Netherlands? I could whitelist that country and I don't think it would hurt anything.

@ejsolutions, I found DYNDNS in the configuration (no underscore) and it's currently disabled. I'm not sure how to use it for this, but I'll do some research. At this point I have until the end of November to find a solution (when the cert renews again) :)
 

ejsolutions

Well-Known Member
Jan 6, 2013
77
32
68
cPanel Access Level
Root Administrator
I found DYNDNS
Yup, that's the one: I have a bad habit of inserting the underscore due to other features using that character. ;)

I get as much scan,scam,spam from US as from many other locations: unfortunately, most of my clients need access to/from the USA. NL is a common source of the same, though I also have a few servers there. My Australia-only client was easier to block swathes of the World. ;) Rather than a country only approach, I use IPset, most of the pre-configured CSF blocklists and a sizeable comma-delimited country list, such as CN,TW,TH,BR,AG,NG,MD,IL,PK,IN etc. Depends on your environment/market though.
Modsecurity and netblock port scans give me a pronounced reduction in Load.

Good luck in getting a solution. :)
 
  • Like
Reactions: GoWilkes