IP Location + Let's encrypt renewal

Hi
I run NGINX Proxy Manager on my Proxmox Server to route to the different services on the server.

Yeasterday we tried to renew manually different certificate from Let’s encrypt. It failed at all untill we deactivated Location Filter.

So after my research about this problem I see I’m not allone. This is a proble to any of us IPFire users.

So do we really only have this 2 options?

with opening whole usa in Location filter:

or very complicate with cronjob and special firewall rules:

thx.

That is likely to not be good enough because LetsEncrypt are using locations around the world and they have said that they will move to using multiple locations from multiple areas for an update and they will not provide any list of the servers they use.

So the two options are all I can think of and option 1 will likely need to be more open than just USA as they now use servers from all over the world and the ones they use are not restricted to the location you are in.

EDIT:
Actually there is a third option which is what LetsEncrypt recommend when you have corporate requirements to only open up ports to defined IP’s and that is to use the DNS-01 Challenge instead of the HTTP-01 Challenge.
https://letsencrypt.org/docs/challenge-types/

or LetsEncrypt have also suggested to have a separate server specifically for certificate validation and place it in the DMZ and then extract the updated certs from the DMZ machine if they change.

1 Like

Or, perhaps, hack the renewal script to insert an extra firewall rule to open port 80 to everywhere when it starts and delete it at the end?

yes I have to check that. I don’t know really how and when NGINX Proxy Manager does the renewal script.

Ok thx adolf

It sounds interesting with DNS-01 Challenge. But then we have another security risk in Keeping API credentials on webserver.

So I prefer to go with option 2: Firewall rules and cronjob

I think first I have to know when NGINX Proxy Manager starts the renewal for the Let’s encrypt. Later I can construct some rules here.

BTW Location Block is a IPFire side project. Discussion is also on the Location maling list.
See also Blog article

1 Like