This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebServer Protection Access Control vs Let's Encrypt

I have a website which I DO want to have a public IP and routing, as well as a valid certificate, but which must only be accessible from internal resources.

To that end I've set up Access Control, granting only certain local networks access and I though this is a done-deal, and that I don't need to do anything else. To my surprise a few nights ago I got a notification email that the site's LE certificate has failed to renew.

The logs show the LE process, when attempting to access the ACME challenge, is getting a 403 error, which would coincide with what an external user gets when trying to access the site.

...I was sure this was working before! If it never was (I may have generated the certificate prior to setting the site up) - can I have a website that's got a valid LE certificate and a public DNS but is only accessible from local network?

This thread was automatically locked due to age.
  • Hi Mateusz,

    Normally, the LE script creates a WAF publishing with necessary access rights.
    Only for counry-blocking i have to create exceptions.
    But may be, your configuration overrides the sitepath-routing created by LE.


    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello Mateusz,

    Maybe you can get this working by allowing access from these Let's encrypt servers:

    It's not the most elegant solution, but should work.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • That was my understanding as well!

    It seems that when I turned off the access control rules I was able to refresh the certificate; that makes it good for at least another 2 months. I just... well, can't remember if I set this certificate up ~2 months ago (i.e. this sort of configuration doesn't really work and initially I just had set up the certificate before the access rules) or if there was some freak issue with refreshing this one time...