Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certify the Web - anyone being blocked?

    Scheduled Pinned Locked Moved
    Firewalling
    2
    4
    127
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • cdsJerryC
      cdsJerry
      last edited by

      I'm using Certify The Web for our SSL certificates. I noticed the certificates weren't being renewed and the error would simply say that it couldn't verify our site. We tried DNS verification as well as http verification. Nothing worked. We hired someone to help us resolve this and they couldn't figure it out either.

      Eventually they said it has to be pfSense blocking the traffic for some reason. I tried to get a list of IPs from the folks at Certify The Web but they said they don't release that information. Their website says they need access to port 80 which of course is no problem. Having been unable to find another resolution I bypassed pfSense for a min. and sure enough, everything worked just perfectly. So we've confirmed that pfSense is blocking the traffic, but don't know how or why.

      I had tried watching the logs while attempting a renewal thinking I might see something but I don't really know what I'm looking for. Of course I saw a bunch of blocked IPs trying to connect to that IP but that's endless as always. Without knowing their IP, and knowing they want port 80, I'm not sure what to do next. Suggestions?

      Anyone else using Certify The Web that knows what's required here?

      LinkPL 1 Reply Last reply Reply Quote 0
      • LinkPL
        LinkP @cdsJerry
        last edited by

        @cdsJerry This has nothing to do with Certify The Web or any other particular ACME client. It most likely is caused by geo-blocking traffic destined for your Certify The Web instance on port 80.

        You must choose between that practice and using Let's Encrypt CA certificates obtained via an HTTP-01 challenge. (Note that an ALPN-01 challenge would also be impacted by any similar geo-blocking on port 443.)

        The documentation at the following links explains further.

        Multi-Perspective Validation Improves Domain Validation Security

        Multi-Perspective Validation & Geoblocking FAQ

        cdsJerryC 1 Reply Last reply Reply Quote 0
        • cdsJerryC
          cdsJerry @LinkP
          last edited by

          @LinkP I'm not running any geo-blocker. I used to run pfBlocker but we had so many problems with it blocking our credit card transactions and reports that we ended up turning the services off in pfSense, which solved all those problems. I really liked the idea of blocking countries with the most attacks against the server as we're a one-country kind of business but the reality is that blocking almost any country causes problems.

          1 Reply Last reply Reply Quote 1
          • cdsJerryC
            cdsJerry
            last edited by

            We found a work-around. We had tried doing DNS verification but it kept failing. It turns out that Certify the web had created a DNS entry but then just left it there. So when it came back to renew it was creating a new entry but reading the old one. We deleted all their DNS entries (37 of them) and it passed. So we won't need to do the http verification which means we don't need it to find it's way past pfSense.

            While this doesn't solve the pfSense question, it does solve our problem so I'm going to move on. Thanks for the help.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post