Certbot (Let's Encrypt) verification not getting through WAF.

Question

I'm trying to get Let's Encrypt working on one of my web servers (which is behind the WAF). 
 This is what I'm running and receiving on the web server: 
 $ sudo certbot certonly --webroot -d internal.bordo.com.au -w /myRoot/ Password: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for internal.bordo.com.au Using the webroot path /myRoot for all unmatched domains. Waiting for verification... Challenge failed for domain internal.bordo.com.au http-01 challenge for internal.bordo.com.au Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: internal.bordo.com.au Type: connection Detail: Fetching internal.bordo.com.au/.../PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw: Timeout after connect (your server may be slow or overloaded) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. 
 
 The WAF log (logwin.html) shows: 
 2020:11:17-10:55:57 astaro1-1 httpd: id="0299" srcip="3.128.26.105" localip="139.130.139.174" size="257" user="-" host="3.128.26.105" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="74965" url="/.well-known/acme-challenge/V7nRDlBP_91-Td-6ISQuAVMw9BgEai4syOROvNXN8i0" server="internal.bordo.com.au" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MRjXkFxqwNTKr@DgGTfQAAAAk" 
 2020:11:17-10:55:57 astaro1-1 httpd: id="0299" srcip="34.211.6.84" localip="139.130.139.174" size="257" user="-" host="34.211.6.84" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="83948" url="/.well-known/acme-challenge/V7nRDlBP_91-Td-6ISQuAVMw9BgEai4syOROvNXN8i0" server="internal.bordo.com.au" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MRjXkFxqwNTKr@DgGTeQAAAAw" 
 2020:11:17-10:55:57 astaro1-1 httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="46875" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="26763" url="/status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MRjXkFxqwNTKr@DgGTmAAAACc" 
 2020:11:17-10:55:57 astaro1-1 httpd: id="0299" srcip="52.28.236.88" localip="139.130.139.174" size="257" user="-" host="52.28.236.88" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="82802" url="/.well-known/acme-challenge/V7nRDlBP_91-Td-6ISQuAVMw9BgEai4syOROvNXN8i0" server="internal.bordo.com.au" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MRjXkFxqwNTKr@DgGTgQAAAAQ" 
 2020:11:17-10:55:57 astaro1-1 httpd: id="0299" srcip="64.78.149.164" localip="139.130.139.174" size="257" user="-" host="64.78.149.164" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="103247" url="/.well-known/acme-challenge/V7nRDlBP_91-Td-6ISQuAVMw9BgEai4syOROvNXN8i0" server="internal.bordo.com.au" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MRjXkFxqwNTKr@DgGTdwAAAAE" 
 
 Another try:

2020:11:17-11:34:52 astaro1-1 httpd: id="0299" srcip="3.128.26.105" localip="139.130.139.174" size="254" user="-" host="3.128.26.105" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="216282" url="/.well-known/acme-challenge/PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" server="internal.bordo.com.au" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7Maq3BZLmB8Joos1mMIaAAAAGE" 
 2020:11:17-11:34:52 astaro1-1 httpd: id="0299" srcip="18.196.96.172" localip="139.130.139.174" size="254" user="-" host="18.196.96.172" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="8947" url="/.well-known/acme-challenge/PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" server="internal.bordo.com.au" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MarHBZLmB8Joos1mMIaQAAAEA" 
 2020:11:17-11:34:52 astaro1-1 httpd: id="0299" srcip="34.211.6.84" localip="139.130.139.174" size="254" user="-" host="34.211.6.84" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="3508" url="/.well-known/acme-challenge/PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" server="internal.bordo.com.au" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MarHBZLmB8Joos1mMIagAAAEs" 
 2020:11:17-11:34:53 astaro1-1 httpd: id="0299" srcip="64.78.149.164" localip="139.130.139.174" size="254" user="-" host="64.78.149.164" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="3752" url="/.well-known/acme-challenge/PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" server="internal.bordo.com.au" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MarXBZLmB8Joos1mMIbgAAAGM" 
 2020:11:17-11:34:54 astaro1-1 httpd[20200]: [authz_blacklist:warn] [pid 20200:tid 3844557680] [client 3.128.26.105:23396] DNSRBL lookup: Match found on fur.cal1.sophosxl.com, referer: internal.bordo.com.au/.../PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw 
 2020:11:17-11:34:54 astaro1-1 httpd: id="0299" srcip="3.128.26.105" localip="139.130.139.174" size="279" user="-" host="3.128.26.105" method="GET" statuscode="403" reason="dnsrbl" extra="Client is listed on DNSRBL fur.cal1.sophosxl.com" exceptions="-" time="1725478" url="/.well-known/acme-challenge/PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" server="internal.bordo.com.au" port="443" query="" referer=" ">internal.bordo.com.au/.../PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MarXBZLmB8Joos1mMIawAAAFQ" 
 2020:11:17-11:34:55 astaro1-1 httpd[20200]: [authz_blacklist:warn] [pid 20200:tid 3760630640] [client 34.211.6.84:30276] DNSRBL lookup: Match found on fur.cal1.sophosxl.com, referer: internal.bordo.com.au/.../PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw 
 2020:11:17-11:34:55 astaro1-1 httpd: id="0299" srcip="34.211.6.84" localip="139.130.139.174" size="279" user="-" host="34.211.6.84" method="GET" statuscode="403" reason="dnsrbl" extra="Client is listed on DNSRBL fur.cal1.sophosxl.com" exceptions="-" time="1435094" url="/.well-known/acme-challenge/PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" server="internal.bordo.com.au" port="443" query="" referer=" ">internal.bordo.com.au/.../PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MarXBZLmB8Joos1mMIbAAAAF4" 
 2020:11:17-11:34:55 astaro1-1 httpd[20200]: [authz_blacklist:warn] [pid 20200:tid 3769023344] [client 18.196.96.172:65328] DNSRBL lookup: Match found on fur.cal1.sophosxl.com, referer: internal.bordo.com.au/.../PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw 
 2020:11:17-11:34:55 astaro1-1 httpd: id="0299" srcip="18.196.96.172" localip="139.130.139.174" size="279" user="-" host="18.196.96.172" method="GET" statuscode="403" reason="dnsrbl" extra="Client is listed on DNSRBL fur.cal1.sophosxl.com" exceptions="-" time="1416303" url="/.well-known/acme-challenge/PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" server="internal.bordo.com.au" port="443" query="" referer=" ">internal.bordo.com.au/.../PftAsVdmkyiDzNJpxfjGkuat-vviRTpiTtZRyuOGPrw" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X7MarXBZLmB8Joos1mMIbQAAAF0" 
 
 In the WAF settings I've set it to 'No Profile' and unchecked all the boxesin Advanced.

Any suggestions? 
 Running Release 9.705-3. 
 Thanks, James.

FormerMember · Accepted Answer

Hi jlbrown , 
 Could you please check if you have country blocking configured under Network Protection > Firewall > Country Blocking? 
 If it is configured, please check out the following community post and configure the country blocking exception. 
 
 Country blocking exception for Let's Encrypt renewal 
 
 Thanks,

jlbrown · Answer

Thanks that worked. 
 For anyone else who has the problem, these are the four exceptions I set up:

Thanks again everyone! 
 
 James.

Certbot (Let's Encrypt) verification not getting through WAF.

Top Replies