Feature Idea: scheduled rule for acme.sh certificate process

  • LAYER 8 Moderator

    As I often read concerns about the checking port for LetsEncrypt remaining "open" and available as for the few times when acme.sh is run and for LE to check the domain/server with it I was wondering: could the acme package use "a scheduled rule" for its domain checking? As those time based scheduled rules are AFAIK triggered via cron, how about creating one for the domain checking and enabling/disabling it via schedule or acme package itself? So the rule would only be active just before LE certification process starts, LE servers check in, certificate gets generated and rule will auto-disable itself.

    That way many users (often unnecessary) concern about leaving the port open would be solved. It also would help against accidental exposure of services that can bind on port 80 while installing (things like wrong or freshly installed haproxy or nginx vhosts etc. etc.) or by accidental configuration.

    Just a thing to think about as I'm not that deep into package building and scheduled rules myself, perhaps there is potential without over complicating the package :)


  • Rebel Alliance Developer Netgate

    I'm sure there is a way but it hasn't been something directly on my todo list for ACME yet.

    If you already have port 80 forwarded somehwere, the easiest thing to do is let ACME glom onto that and use sftp to push the ACME challenge/response files on that web server. HAProxy may also help here.

    If you must do standalone mode, one tactic you can do is to bind standalone mode to a weird port on localhost that nothing else will use. Then setup a NAT rule on WAN without an automatic firewall rule to forward WAN:80 to localhost:yourport. Then setup a schedule to activate a firewall rule for the 15 minute block around when the check will happen.

    In an ideal world, everyone would use DNS validation instead, but...

  • LAYER 8 Moderator

    @jimp said in Feature Idea: scheduled rule for acme.sh certificate process:

    In an ideal world, everyone would use DNS validation instead, but...

    I'm completely with you in that. Doing that myself even on my home setup (moved the domain to cloudflare for that - very successfully). So much easier with the added perk of providing your own "dynamic" DNS adresses with your own domain, eliminating one more external dependency.

    But the SFTP one is something I have to ponder over, could work for quite a few users that fall under the initial description. Thanks for the reminder πŸ˜‰