Let's Encrypt Certificate Renew blocked by threat-shield

Goodmorning everyone!
I have installed the Threat Shield module on nethserver.
I have enabled github lists:
IP blacklist on the link github.com/firehol/blocklist-ipsets and the dns blacklist on the link github.com/NethServer/dns-community-blacklist

During the automatic renewal phase of the let’s encrypt certificate, I encountered errors related to reaching the site itself for renewal, by deactivating the IP blacklist, the renewal was successfully completed.
On the Let’s encrypt site I found a faq about it with the following text:

What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time.

It is therefore not possible to whitelist the public p, has anyone already encountered the same problem?

No, it is not. If you want a Let’s Encrypt, and you’re using HTTP validation (which Neth does by default), port 80 must be open to the Internet.

Hi Danb35!
many thanks for the support.
the port 80 is already open on the internet, the problem the problem is that i have enable the Blacklist ip on the module Threshold the automatic renew doesen’t work because the public ip addresses of let’s encrypt are blocked from the list.

I probably should have been more clear–port 80 needs to be open to the entire Internet. And really, that’s always been the stated position of Let’s Encrypt–it’s just been fairly recently that they’ve started validating from a wider pool of IP addresses. At this point, you should expect that any sizeable IP blacklist applied to port 80 is going to result in you failing validation.

Edit: You could always implement DNS validation instead–I have a couple of pages in the wiki dealing with that.

I have exact the same Problem. Letsencrypt dosnt renews certificates when Threat-Shield is enabled. First i think this was a problem with special ip blocklists, but if i disable ALL ip blocklists the problem persits. If i disable the whole ip blocklisting, the renewal is fine.

Any suggestions without this DNS validation procedere?

Regards
yummiweb

Yes: stop using the blacklist.

Thank you for your answer, but can you explain that?
How or on which part of the (naked) blacklisting procedere - without any blacklist entries - stops the renewing process? i’d like to understand this.

Look in firewall.log at the time you renew the certificate. You will see the blocked connection, take the IP and search for it in threat shield. Disable the relevant blacklist.

1 Like

Thank you for your answer Filippo.

As previously reported, I had already deactivated all ip blacklists (that seemed easier to me than finding the responsible blacklist) but the problem was the same (before).

Although i followed your advice exactly now and determined this several ip addresses in firewall.log: 52.58.118.98, 34.211.60.134 and 18.224.20.83

The corresponding ip blacklists was “Pushing inertia blocklist” and “Firehol webserver”.
Edit: “Datacenters” also, but this list was deactivated already.
(unfortunately each query in Cockpit shows a single result only, so i had to do a total of two runs)

After disabling this ip blacklists, the Letsencrypt renewal process works fine. Thank you!

Normally you could close this thread now, but one fundamental question still remains open:
How can that be?

If i deactivate ALL ip blacklists (all categories) as described before, the Letsencrypt renewal fails.
If i deactivate only SOME ip blacklists (the special above), the renewal works fine.

I would test it again with ALL blacklists deactivated, but i think my Letsencrypt renewal counter is als
most full for today. I think i will test that later again. Maybe you would like to check this behavior yourself.

Regards yummiweb