Dynamic firewall blocks Let's Encrypt renewals

Software SW help
1

It seems Turris’ “dynamic firewall” tends to block let’s encrypt servers altogether. This was previously reported here:

and here:

… neither of which were solved in any satisfactory way. The first answer just showed how to list the blocked IPs and the second one doesn’t really have an answer other than “disable SYN-flood protection”.

In my case, I figured the problem was the dynamic firewall and I completely disabled it. This was discussed within the Let’s Encrypt forum here:

… but I think the Turris community should avoid triggering bans on Let’s Encrypt, as it’s not an attacker.

Could something be done upstream so that security protections could be enabled without breaking TLS certificate renewals?

Thanks

5 Likes
2

Yes, we will take look into it.

It’s tricky as AFAIK Let’s Encrypt tries to access the web sites from multiple locations/IPs so we can’t simply put them on the white list. But we should be able to recognize by accessed URL that it is acme challenge and ignore it in our honeypots…

2 Likes
3

you won’t have access to the URL for targets behind the router, so that won’t work.

i suggest talking with the let’s encrypt engineers if you can, it might be worth getting some higher-level contacts here.

4

I will have access to the url when they get trapped in our honeypots and them getting trapped in our honeypots is why they are ending up on our greylist.

5

Another way around this is to use dns challange for renewals for certs?

But shure, it will not solve the blocking issue.
But may be useful

6

Maybe I’m missing something, but how would you enforce that noone with honeypots will attempt a (misconfigured) http-based ACME?

7

Sorry, I was just try to help in solving the cert renewal issue, not the fw issue.

This was not as a solution for the fw blocking, it was a ide how to make the renewals work by other means.

But perhaps I got everything backwards

8

Any news on this front? I still have this disabled, as far as I can remember. :slight_smile:

9

Is there some way of temporary disabling dynFW, do renew and than reeanble it again?

10

Just my +1 that I have been just bitten by this problem. It cost me an hour to find out what the culprit could be. After disabling the dynamic firewall by changing option sentinel_dynfw '1' to '0' for the wan zone in /etc/config/firewall, I was able to renew all the certificates.

I am not turning it back on again :wink:

1 Like
11

here is a very nice guide on how to automate this

12

And why not just use DNS validation?

opkg update
opkg install acme acme-dnsapi luci-app-acme

/etc/config/acme

config acme
        option state_dir '/etc/acme'
        option account_email 'name.surname@example.com'
        option debug '0'

config cert 'main'
        option keylength 'ec-256'
        list domains 'router.example.com'    # subjectName
        list domains 'srv1.example.com'    # subjectAltName
        list domains 'srv2.example.com'    # subjectAltName
        option enabled '1'
        option validation_method 'dns'
        option dns 'dns_<provider>'   # see https://github.com/acmesh-official/acme.sh/wiki/dnsapi for list of options
        list credentials '<XX>_Username="<username>"'
        list credentials '<XX>_Password="<password>"'
        option use_staging '0'

I use this for lighttpd configured as a reverse proxy for LXC containers running on the router.

1 Like
13

This seems to be happening again. My workaround is to add the following custom firewall rules:

# Bypass Sentinel blocking Let's Encrypt
iptables -I zone_wan_input 1 -p tcp --dport 80 -j ACCEPT
iptables -I zone_wan_forward 1 -p tcp --dport 80 -j ACCEPT

Obviously this is not ideal as it bypasses all firewall rules, but in my case I don’t really have anything else exposed on port 80, except ACME http-01 challenges.

14

Still problematic :frowning: The machine for the certificates is further down the food chain behind a port forwarding rule. Letsencrypt certificates fail. There should be something more elegant than removing the dynamic firewall from the packages, rebooting the router, renew the certificate, enabling the package again and rebooting the router once more.

I’d hope for service stop something, but I have little clue about the role of the various parts of the sentinel services and which can be safely stopped and restarted. Ideally the sentinel service would be smart enough to allow the letsencrypt hosts. Second best is a simple control to disable and enable the dynamic firewall from the UI (without rebooting the router). Third a commandline version of this and last the current state :frowning: