Allowing letsencrypt http validation with Configserver Firewall / csf
What:
You pulled a docker container that does ACME / Letsencrypt automagically for you but does not allow for DNS validation. You use CSF and you do not want port 80 exposed to random sources.
Why:
Because CSF rocks 🙂 You might be hosting an application that only needs to be accessible by an ACL and you do not want to keep port 80 open for ACME / Letsencrypt. At the same time you are tired of having certificate renewals fail because port 80 is blocked when the job runs.
How:
vi /etc/csf/csf.dyndns
Add these two lines:
tcp|in|d=80|s=outbound1.letsencrypt.org
tcp|in|d=80|s=outbound2.letsencrypt.org
Then reload with
csf -ra
This will prompt CSF to lookup the IP addresses of these two aliases every 5 minutes and open port 80 to Letsencrypt only.
Letsencrypt discourage the use of these aliases and reserve the right to change their outbound validator IP addresses suddenly, discontinue updating the aliases or deleting them altogether. They would very much prefer for you to use DNS validation. This is a suitable band-aid for many self-hosted projects.
As of 2H 2020 this method no longer works. Ref:
https://community.letsencrypt.org/t/acme-v1-v2-validating-challenges-from-multiple-network-vantage-points/112253/3