fixate on what you think you know… you’re missing what you don’t though.

  • 0 Posts
  • 17 Comments
Joined 3 years ago
Cake day: May 7th, 2023
  • qprimed@lemmy.mltoSelfhosted@lemmy.worldNeed help figuring out how to write Let's Encrypt ACME servers into banIP allowlist (OpenWrt)English
    2·
    3 days ago

    agreed. you are using DNS-01 challenges. so the workflow is…

    your local certbot machine initiates an https connection to the letsencrypt servers to start the DNS-01 challenge. during this HTTPS dialog, your local certbot is informed of the key material to insert into your DNS records. your local certbot then modifies your netcup DNS server (hosted remotely, not on your local network) with the keying material and the letsencrypt servers verify that the keys are actually there, proving that you control the domain. the letsencrypt serves then issue you the certificate (again, via HTTPS) and your local certbot stores it in your local host.

    the issue is most likely stems from the initial HTTPS connection that certbot tries to make to the let’s encrypt servers. while your firewall allows this traffic out, it does not allow return traffic back in because of your explicit blocking of US (and perhaps other) based addresses.

    even through your are using DNS for your domain autentocation, your local host - the machine running certbot - is unable to initiate the certificate transfer because of the firewall blocking return traffic.

    the two external networks (and, therefore IP ranges/subnets/etc) that are important here are the let’s encrypt servers and the netcup DNS servers. certbot will have to talk to both of these in order to function.

  • qprimed@lemmy.mltoSelfhosted@lemmy.worldNeed help figuring out how to write Let's Encrypt ACME servers into banIP allowlist (OpenWrt)English
    1·
    3 days ago

    not sure what you mean by external DNS

    not hosting your own DNS server. specifically it sounds like your DNS server is hosted on your domain provider, not your own local network. you have set up certbot to automatically configure your remotely hosted DNS server for the DNS based renewal.

    if DNS based recert was working before then it should be working now.

    as I said in my edit, you are likely blocking the return https traffic from the US based let’s encrypt acme servers - so your initial diagnostic is correct. your local firewall is likely stopping the acme servers from talking back to your local host.

    you are right back where you started, asking for info in how to allow-list the acme IP ranges. but at least we may now know why it is not working and you are seeing an https timeout even though you are using DNS based certificate renewals.

    edit: typos

  • qprimed@lemmy.mltoSelfhosted@lemmy.worldNeed help figuring out how to write Let's Encrypt ACME servers into banIP allowlist (OpenWrt)English
    3·
    3 days ago

    The DNS server/root isn’t in my home network

    are you using external DNS hosting? is it in a (now) blocked country? if so, then your local certbot is unable to update the DNS server records (return traffic from your DNS host is being blocked by your iptables/nftables config).

    error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)

    yeah, that would suggest an https renewal method. had you previously configured web server renewal at all before switching over to DNS? any other suspicious notifications in the logs?

    edit: in thinking about this a little more… the renewal has to be initiated by your host, and that is likely done via https (you talk https to the acme server and tell it you want a renewal by DNS). so, if you are blocking the acme servers then the same issue applies - no return traffic.

  • qprimed@lemmy.mltoSelfhosted@lemmy.worldHelp me selfhosted, I'm in over my head!English
    3·
    1 year ago

    depending on specs it will be a little power hungry, but a good virtualization platform.

    yes, the power supplies are likely redundant and the server will complain if they are not both powered.

    it will use a VGA connection, but you should be ale to find cheap VGA monitors or cheap adapters.

    RAID controllerfor those drives? how many processors and cores? how much RAM? what OS are you planning on running on it? iDRAC included? (if so, likely idrac6, but still usable)

    this hardware is very well supported by linux - I have used these older servers extensively. your boss was right to be excited for you. its a great exploration platform that you will be able to do lots of things with.

    fire up a live linux distro and get detailed specs on the box - that will guide what you can play with right away.

  • qprimed@lemmy.mltoSelfhosted@lemmy.worldStuck on Let's Encrypt certificate issuance due to firewall issue even after opening necessary portsEnglish
    3·
    2 years ago

    if you are able to run a public web server, then certificate issuance via certbot http challenge works pretty well. the web server can serve a really simple static page with little to nothing on it - but of course its another potential vector into your network.

    if your public domain DNS makes use of a supported dns provider or you run your own publically accessible dns server, then dns certbot challenges are great and more flexible than http.

    others may suggest neat work arounds for the http challenge issue, but if you have access to a supported dns service I would look at that option. certbot has helpers for quite a few public services as well as support for self hosted dns servers. I run my own public dns servers, so thats the option I chose and use certbot hooks, cron and bash scripts to rsync the updated carts to the propr hosts for the various services I run privately and publicly.