Allowing letsencrypt http validation with Configserver Firewall / csf

Categories: CSF, Firewall, Letsencrypt / ACME

What:

You pulled a docker container that does ACME / Letsencrypt automagically for you but does not allow for DNS validation. You use CSF and you do not want port 80 exposed to random sources.

Why:

Because CSF rocks 🙂 You might be hosting an application that only needs to be accessible by an ACL and you do not want to keep port 80 open for ACME / Letsencrypt. At the same time you are tired of having certificate renewals fail because port 80 is blocked when the job runs.

How:

vi /etc/csf/csf.dyndns

Add these two lines:

tcp|in|d=80|s=outbound1.letsencrypt.org
tcp|in|d=80|s=outbound2.letsencrypt.org

Then reload with

csf -ra

This will prompt CSF to lookup the IP addresses of these two aliases every 5 minutes and open port 80 to Letsencrypt only.

Letsencrypt discourage the use of these aliases and reserve the right to change their outbound validator IP addresses suddenly, discontinue updating the aliases or deleting them altogether. They would very much prefer for you to use DNS validation. This is a suitable band-aid for many self-hosted projects.

«

    Leave a Reply

    Your email address will not be published.