Dynamic firewall blocks Let's Encrypt renewals

anarcat · March 23, 2022, 6:01pm

It seems Turris’ “dynamic firewall” tends to block let’s encrypt servers altogether. This was previously reported here:

and here:

… neither of which were solved in any satisfactory way. The first answer just showed how to list the blocked IPs and the second one doesn’t really have an answer other than “disable SYN-flood protection”.

In my case, I figured the problem was the dynamic firewall and I completely disabled it. This was discussed within the Let’s Encrypt forum here:

… but I think the Turris community should avoid triggering bans on Let’s Encrypt, as it’s not an attacker.

Could something be done upstream so that security protections could be enabled without breaking TLS certificate renewals?

Thanks

miska · March 28, 2022, 11:21am

Yes, we will take look into it.

It’s tricky as AFAIK Let’s Encrypt tries to access the web sites from multiple locations/IPs so we can’t simply put them on the white list. But we should be able to recognize by accessed URL that it is acme challenge and ignore it in our honeypots…

anarcat · March 28, 2022, 1:01pm

you won’t have access to the URL for targets behind the router, so that won’t work.

i suggest talking with the let’s encrypt engineers if you can, it might be worth getting some higher-level contacts here.

miska · March 29, 2022, 8:12am

I will have access to the url when they get trapped in our honeypots and them getting trapped in our honeypots is why they are ending up on our greylist.

tac2 · March 29, 2022, 6:40pm

Another way around this is to use dns challange for renewals for certs?

But shure, it will not solve the blocking issue.
But may be useful

vcunat · March 29, 2022, 6:53pm

Maybe I’m missing something, but how would you enforce that noone with honeypots will attempt a (misconfigured) http-based ACME?

tac2 · March 29, 2022, 7:47pm

Sorry, I was just try to help in solving the cert renewal issue, not the fw issue.

This was not as a solution for the fw blocking, it was a ide how to make the renewals work by other means.

But perhaps I got everything backwards

anarcat · October 19, 2022, 1:49pm

Any news on this front? I still have this disabled, as far as I can remember.

The_ERROR · November 25, 2022, 10:32am

Is there some way of temporary disabling dynFW, do renew and than reeanble it again?

beda · March 24, 2023, 11:10am

Just my +1 that I have been just bitten by this problem. It cost me an hour to find out what the culprit could be. After disabling the dynamic firewall by changing option sentinel_dynfw '1' to '0' for the wan zone in /etc/config/firewall, I was able to renew all the certificates.

I am not turning it back on again

czlada · March 29, 2023, 5:45am

here is a very nice guide on how to automate this

hagrid · March 29, 2023, 9:46am

And why not just use DNS validation?

opkg update
opkg install acme acme-dnsapi luci-app-acme

/etc/config/acme

config acme
        option state_dir '/etc/acme'
        option account_email 'name.surname@example.com'
        option debug '0'

config cert 'main'
        option keylength 'ec-256'
        list domains 'router.example.com'    # subjectName
        list domains 'srv1.example.com'    # subjectAltName
        list domains 'srv2.example.com'    # subjectAltName
        option enabled '1'
        option validation_method 'dns'
        option dns 'dns_<provider>'   # see https://github.com/acmesh-official/acme.sh/wiki/dnsapi for list of options
        list credentials '<XX>_Username="<username>"'
        list credentials '<XX>_Password="<password>"'
        option use_staging '0'

I use this for lighttpd configured as a reverse proxy for LXC containers running on the router.