During the automatic renewal phase of the let’s encrypt certificate, I encountered errors related to reaching the site itself for renewal, by deactivating the IP blacklist, the renewal was successfully completed.
On the Let’s encrypt site I found a faq about it with the following text:
What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time.
It is therefore not possible to whitelist the public p, has anyone already encountered the same problem?
many thanks for the support.
the port 80 is already open on the internet, the problem the problem is that i have enable the Blacklist ip on the module Threshold the automatic renew doesen’t work because the public ip addresses of let’s encrypt are blocked from the list.
I probably should have been more clear–port 80 needs to be open to the entire Internet. And really, that’s always been the stated position of Let’s Encrypt–it’s just been fairly recently that they’ve started validating from a wider pool of IP addresses. At this point, you should expect that any sizeable IP blacklist applied to port 80 is going to result in you failing validation.
Edit: You could always implement DNS validation instead–I have a couple of pages in the wiki dealing with that.
I have exact the same Problem. Letsencrypt dosnt renews certificates when Threat-Shield is enabled. First i think this was a problem with special ip blocklists, but if i disable ALL ip blocklists the problem persits. If i disable the whole ip blocklisting, the renewal is fine.
Any suggestions without this DNS validation procedere?
Thank you for your answer, but can you explain that?
How or on which part of the (naked) blacklisting procedere - without any blacklist entries - stops the renewing process? i’d like to understand this.
As previously reported, I had already deactivated all ip blacklists (that seemed easier to me than finding the responsible blacklist) but the problem was the same (before).
Although i followed your advice exactly now and determined this several ip addresses in firewall.log: 126.96.36.199, 188.8.131.52 and 184.108.40.206
The corresponding ip blacklists was “Pushing inertia blocklist” and “Firehol webserver”.
Edit: “Datacenters” also, but this list was deactivated already.
(unfortunately each query in Cockpit shows a single result only, so i had to do a total of two runs)
After disabling this ip blacklists, the Letsencrypt renewal process works fine. Thank you!
Normally you could close this thread now, but one fundamental question still remains open:
How can that be?
If i deactivate ALL ip blacklists (all categories) as described before, the Letsencrypt renewal fails.
If i deactivate only SOME ip blacklists (the special above), the renewal works fine.
I would test it again with ALL blacklists deactivated, but i think my Letsencrypt renewal counter is als
most full for today. I think i will test that later again. Maybe you would like to check this behavior yourself.