Let's Encrypt - Location filter and firewall rule (command)

Hello all,

I have a question regarding the “Location Filter” and firewall rule.
I have a VM running on my router that hosts NextCloud. For NextCloud I have manually renewed the certificate from Let’s Encrypt every 3 months. Now I want to automate this and use the “acme.sh” which does this by itself.
But now I have activated the Location FIlter on my router and only Germany is allowed, and I have deactivated the incoming port 80.
When I had always manually extended the certificate, I activated the firewall rule for the forwarding of port 80 and switched off the location filter. After the renewal, I reset the original status.

How can I automate this via command from my VM?
Before starting acme.sh, the rule for port 80 should be automatically activated from the VM and the location filter should be set to inactive or the corresponding region where the Let’s Encrypt servers are located (could be US) should be released.

Does anyone have a similar problem or a solution even to whare the security and still get the certificate automatically?

Sincerely Paul


Hi Pablo78,

I have the same setup so maybe I can help you.

Since you use acme.sh to renew it you have to use cronjob to execute the script. This will probably be done once or twice a week. I do not think more often is neccessary.
There you configure when the renew process will be done like every Friday beginning at 1:05 am at night.

Then you define three rules.
You cannot use the GeoIP Block anymore because it is in front of everything else. As statet in privious posts (I cannot cite it now) GeoIP Block is to reduce Logging. But you can use it to block out certain countries you believe letsencrypt will never have an endpoint server there.
First rule but in Ranking at third position: Block every country except germany.
Second rule in Ranking at second position: Allow port 80 to the nextcloud server in timeframe which matches the cronjob setting (like Friday 1:00 am until 1:15 am)
Third rule but in Ranking at first position: Allow every country to nextcloud server in timeframe which matches the cronjob setting (like Friday 1:00 am until 1:15 am)

I think basically you updated your letsencrypt certificate doing this steps manually (or disable/go around ipfire)

If you need more hints feel free to ask.

EDIT:
It is best to use Groups when defining Rules. This can be done for GeoIP too.

1 Like

Would that make it so right here?

Rule 1
All GeoIP regions are allowed to connect to the DMZ (Orange) via TCP on Friday between 01:00 - 01:15.

2nd rule
Everyone from RED is allowed to connect to the Nextcloud server via port 80 (TCP) on Friday between 01:00 - 01:15.

3rd rule
All packets from IP addresses from the forbidden regions (except DE) will be dropped if they have the destination DMZ (Orange).

4th rule
Everything from RED on Poort 443 will be forwarded to the IP of NextCloud server.

I am not sure. It seems you will have a problem with the second rule cause the package will not originate from RED Interface.

I checked with my configuration:
I use only one (not two) rule for this.
I made a Service group which consits of HTTP/HTTPS .
In Protokoll Section use this Service Group (HTTP —> Port 80 / HTTPs —> Port 443) so I do not need to worry about these two in this timeframe)

Please test the rule (without Time Constraints) if everything works before relying on it (and then check once in a while too :wink: )

Have adjusted it again

Rule 1
All GeoIP regions are allowed to connect to NextCloud Server (Orange) via “Web-Protokoll” (HTTP/HTTPS) on Friday between 01:00 - 01:15.

Rule 2
All packets from IP addresses from the forbidden regions (except DE) will be dropped if they have the destination DMZ (Orange).

Rule 3
Everything from RED on Port 443 will be forwarded to the IP of NextCloud server.

I have also just tested the rules once and it works.
Now I just have to set up acme.sh on my Nextcloud server and test it with prior adjustment of the time window, of course.

Many thanks for your support

One last thing you should alter the second rule Destination to Any Network.

With this configuration you only block “GeoIP - unzulässige Regionen” if they are going to Orange.
I would expect that “GeoIP - unzulässige Regionen” should not be allowed to try to connect to GREEN either or BLUE if you have it in your setup.