Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Creating a rule to allow LetsEncrypt Acme challenge
« previous
next »
Print
Pages: [
1
]
Author
Topic: Creating a rule to allow LetsEncrypt Acme challenge (Read 1008 times)
HankM
Newbie
Posts: 11
Karma: 0
Creating a rule to allow LetsEncrypt Acme challenge
«
on:
May 05, 2024, 01:21:18 pm »
I need to whitelist Let's Encrypt Certbot's Acme Challenge through.
With my limited knowledge, I created this firewall WAN rule:
Action - Pass
Interface - WAN
Direction - In
TCP Version - IPV4
Protocol - TCP
Source - any
Destination - Single Host - 72.xx.xxx.xxx The public IP of the mail server /32
Destination Port Range 80 to 443
(or do I need one rule for each?)
Gateway - ?? Default
(or should it be) My internal or Wan-ppoe?
I left it at default.
I moved the rule to the top of my list of blocked IP addresses (Country Block), but it doesn't work.
The people at Let's Encrypt tell me that I've managed to block some of the AcmeChallenge servers, and I had hoped that this would fix it.
What have I done wrong?
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Creating a rule to allow LetsEncrypt Acme challenge
«
Reply #1 on:
May 05, 2024, 03:34:43 pm »
Hi,
you can debug this yourself. First make you rule a little bit more maintenance friendly:
Create two aliases: One for your server's IP address and one for the two ports 80 and 443. Then rewrite your rule with those aliases, enable logging, and perform a state reset of the firewall.
Then check in the firewall live log what is blocked during ACME challenge and response. You should see traffic coming in towards your server on 80 or 443 which is probably blocked. If it passes, you may have something else going on than firewall blocks.
Regarding the rule: Don't define a gateway unless you need policy based routing
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Creating a rule to allow LetsEncrypt Acme challenge