This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country blocking exception for Let's Encrypt renewal

Hello,

can anyone tell me how to define a valid country blocking exception for the Let's Encrypt service?

With country blocking enabled I get the error:

Let's Encrypt certificate renewal failed accessing Let's Encrypt service

I tried it with an excetion on the DNS entry on letsencrypt.org (172.65.32.248) and acme-staging-v02.api.letsencrypt.org (172.65.46.172)

but this doesn't seem to be the right way,

Can anyone help me out please?



This thread was automatically locked due to age.
Parents
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Can you please check if you have configured the country blocking exception for the "letsencrypt.org" and "acme-staging-v02.api.letsencrypt.org" as per the highlighted entries in the following table?  

    Interface/remote host Requests Host/network Countries
    Local interface Coming from Enter a local interface address Choose countries to skip
    Local interface Going to Enter a local interface address Choose countries to skip
    Remote host (internal network) Coming from Enter an internal host/network Choose countries to skip
    Remote host (external network) Coming from Enter an external host Do not choose countries
    Remote host (internal network) Going to Enter an internal host/network Choose countries to skip
    Remote host (external network) Going to Enter an external host Do not choose countries

    You could find more information by navigating to Network Protection > Firewall > Country Blocking Exceptions and the click on the "?" on the top right of the page. 

    Thanks,

  • Sorry for my very very very late reply Upside down

    Can you have a look to my exception in the Country Blocking. Do you see any issue here?

  • FormerMember
    0 FormerMember in reply to tomcek

    Hi ,

    Thank you for reaching out! 

    There’s one selected country; please remove it and see if that helps. 

    Thanks,

  • No, it doesn't make a difference. It always fails. Only disabling "United States [Off]" in Country Blocking would help. But that's no solution.

  • FormerMember
    +1 FormerMember in reply to tomcek

    Hi ,

    Thank you for the update. 

    You would need two exceptions, Going to and Coming from, for those external hosts. 

    Configure these two exceptions and don't select any countries. When you configure external hosts in the country blocking exceptions, it's not recommended to select countries. 

    Thanks,

  • No luck. It's still blocking. 

    The hosts are DNS-Groups because they can have multiple IPs.

  • Has anyone an idea how to solve that problem?

  • No, I am unsuccessful too ... and I tried this multiple times...

    LE named this a "security feature". No known servers for validating. Changing IP's and multiple requests for a single validation (all must match .. not only one).
    No option to create a useful Country-blocking-exception.

    check: letsencrypt.org/.../
    What IP addresses does Let’s Encrypt use to validate my web server?
    We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time. Note that we now validate from multiple IP addresses.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • I had the same probl. last Weekend, there are 4 different IP from LE to update the cert.

    so my solution was delete LE account on UTM and generate a new one.

    create a cert with all my domains in it and open the FW for some seconds to deploy the cert.

    after that close my FW again.

    It seems that LE are using many different povider services like AWS and DO, both are scanning my system every day to i have blocked that.

  • There is no reason to delete your existing account, you can use your existing one.

    Today I saw three differtent IPs in the packet filter and I have added them to the country blocking exception:

    3.128.26.105

    64.78.149.164

    34.209.232.166

    It worked for today. But I'm not sure it will help the next time the certificates are renewed.

    Would be great if Let's Encrypt would work with DNS hosts.

Reply
  • There is no reason to delete your existing account, you can use your existing one.

    Today I saw three differtent IPs in the packet filter and I have added them to the country blocking exception:

    3.128.26.105

    64.78.149.164

    34.209.232.166

    It worked for today. But I'm not sure it will help the next time the certificates are renewed.

    Would be great if Let's Encrypt would work with DNS hosts.

Children
  • LE named this behaviour "security feature". i think they don#t change this ...


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.