Country blocking exception for Let's Encrypt renewal

Hi tomcek,

Thank you for reaching out to the Community! 

Can you please check if you have configured the country blocking exception for the "letsencrypt.org" and "acme-staging-v02.api.letsencrypt.org" as per the highlighted entries in the following table?  

You could find more information by navigating to Network Protection > Firewall > Country Blocking Exceptions and the click on the "?" on the top right of the page. 

Thanks,

Hi tomcek,

Thank you for reaching out to the Community! 

Can you please check if you have configured the country blocking exception for the "letsencrypt.org" and "acme-staging-v02.api.letsencrypt.org" as per the highlighted entries in the following table?  

You could find more information by navigating to Network Protection > Firewall > Country Blocking Exceptions and the click on the "?" on the top right of the page. 

Thanks,

Sorry for my very very very late reply 

Can you have a look to my exception in the Country Blocking. Do you see any issue here?

Hi tomcek,

Thank you for reaching out! 

There’s one selected country; please remove it and see if that helps. 

Thanks,

No, it doesn't make a difference. It always fails. Only disabling "United States [Off]" in Country Blocking would help. But that's no solution.

Hi tomcek,

Thank you for the update. 

You would need two exceptions, Going to and Coming from, for those external hosts. 

Configure these two exceptions and don't select any countries. When you configure external hosts in the country blocking exceptions, it's not recommended to select countries. 

Thanks,

No luck. It's still blocking. 

The hosts are DNS-Groups because they can have multiple IPs.

Has anyone an idea how to solve that problem?

No, I am unsuccessful too ... and I tried this multiple times...

LE named this a "security feature". No known servers for validating. Changing IP's and multiple requests for a single validation (all must match .. not only one).
No option to create a useful Country-blocking-exception.

check: letsencrypt.org/.../
What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time. Note that we now validate from multiple IP addresses.

I had the same probl. last Weekend, there are 4 different IP from LE to update the cert.

so my solution was delete LE account on UTM and generate a new one.

create a cert with all my domains in it and open the FW for some seconds to deploy the cert.

after that close my FW again.

It seems that LE are using many different povider services like AWS and DO, both are scanning my system every day to i have blocked that.

There is no reason to delete your existing account, you can use your existing one.

Today I saw three differtent IPs in the packet filter and I have added them to the country blocking exception:

3.128.26.105

64.78.149.164

34.209.232.166

It worked for today. But I'm not sure it will help the next time the certificates are renewed.

Would be great if Let's Encrypt would work with DNS hosts.

LE named this behaviour "security feature". i think they don#t change this ...