{"id":367,"date":"2020-09-19T08:16:39","date_gmt":"2020-09-19T08:16:39","guid":{"rendered":"https:\/\/7dc.org\/?p=367"},"modified":"2020-09-19T08:18:12","modified_gmt":"2020-09-19T08:18:12","slug":"allowing-letsencrypt-http-validation-with-configserver-firewall-csf","status":"publish","type":"post","link":"https:\/\/7dc.org\/index.php\/2020\/09\/19\/allowing-letsencrypt-http-validation-with-configserver-firewall-csf\/","title":{"rendered":"Allowing letsencrypt http validation with Configserver Firewall \/ csf"},"content":{"rendered":"<p>What:<\/p>\n<p>You pulled a docker container that does ACME \/ Letsencrypt automagically for you but does not allow for DNS validation. You use <a href=\"https:\/\/www.configserver.com\/cp\/csf.html\" target=\"_blank\" rel=\"noopener noreferrer\">CSF<\/a> and you do not want port 80 exposed to random sources.<\/p>\n<p>Why:<\/p>\n<p>Because <a href=\"https:\/\/www.configserver.com\/cp\/csf.html\" target=\"_blank\" rel=\"noopener noreferrer\">CSF<\/a> rocks \ud83d\ude42 You might be hosting an application that only needs to be accessible by an ACL and you do not want to keep port 80 open for ACME \/ Letsencrypt. At the same time you are tired of having certificate renewals fail because port 80 is blocked when the job runs.<\/p>\n<p>How:<\/p>\n<p><code>vi \/etc\/csf\/csf.dyndns<\/code><\/p>\n<p>Add these two lines:<\/p>\n<p><code>tcp|in|d=80|s=outbound1.letsencrypt.org<br \/>\ntcp|in|d=80|s=outbound2.letsencrypt.org<\/code><\/p>\n<p>Then reload with <\/p>\n<p><code>csf -ra<\/code><\/p>\n<p>This will prompt CSF to lookup the IP addresses of these two aliases every 5 minutes and open port 80 to Letsencrypt only.<\/p>\n<p>Letsencrypt discourage the use of these aliases and reserve the right to change their outbound validator IP addresses suddenly, discontinue updating the aliases or deleting them altogether. They would very much prefer for you to use DNS validation. This is a suitable band-aid for many self-hosted projects.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What: You pulled a docker container that does ACME \/ Letsencrypt automagically for you but does not allow for DNS validation. You use CSF and you do not want port 80 exposed to random sources. Why: Because CSF rocks \ud83d\ude42 You might be hosting an application that only needs to be accessible by an ACL &#8230; <a class=\"read-more\" href=\"https:\/\/7dc.org\/index.php\/2020\/09\/19\/allowing-letsencrypt-http-validation-with-configserver-firewall-csf\/\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35,34,36],"tags":[],"class_list":["post-367","post","type-post","status-publish","format-standard","hentry","category-csf","category-firewall","category-letsencrypt-acme"],"_links":{"self":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts\/367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/comments?post=367"}],"version-history":[{"count":4,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts\/367\/revisions"}],"predecessor-version":[{"id":371,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts\/367\/revisions\/371"}],"wp:attachment":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/media?parent=367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/categories?post=367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/tags?post=367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}