I have an LXC container with nginx handling some Let’s Encrypt certificates for me.
But the http sentinel honeypot is interfering with the renewal of the certificates. How can I turn off and on the honeypot from CLI?
I would like to create a cron task that will disable honeypot, do the certificate renewal and turn the honeypot back again.
See here was discussed already Dynamic firewall blocks Let's Encrypt renewals
And here workaround
Let's Encrypt servers are blocked since Turris OS 7.1 - #18 by joachimesque
You may also use acme.sh so no need for port 80 and verification is via DNS.
Also there was discussion somewhere that you may need to add LetsEncrypt hosts to DynFirewall whitelist. Added in some version before. If you preffer to use HTTP verification
Thank you, but this is not an answer for what I’ve asked
As mentioned above, I already know honeypot is in the way and i can just turn it off manually, but i want to do it programmatically.
white listing LE IPs is not an option
But it lead me to some config, so I wrote a script to do it anyway
#!/bin/bash
set -euo pipefail
uci set firewall.@defaults[0].sentinel_dynfw='0'
uci commit firewall
/etc/init.d/firewall restart
echo "[+] Sentinel Dynamic Firewall disabled and firewall restarted."
echo "[*] Renewing certificates inside LXC container 'nginx'..."
lxc-attach -n nginx -- certbot renew
echo "[+] Certificate renewal complete."
uci set firewall.@defaults[0].sentinel_dynfw='1'
uci commit firewall
/etc/init.d/firewall restart
echo "[+] Firewall re-enabled and restarted."
system
Closed
May 2, 2025, 11:49am
4
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.