Runng Let's Encrypt behind firewall

Questions and answers about how to do stuff
Post Reply
jkissane
Posts: 15
Joined: 14 Dec 2018 10:32

Runng Let's Encrypt behind firewall

Post by jkissane »

We were interested in turning on TLS on our EFA box (latest version). From reading on here, it seems I just needed to enable Let's Encrypt but ran into the problem below as the server is behind a firewall that only allows SMTP traffic through.

Code: Select all

Would you like to  Enable  Let's Encrypt? [y/n/c]
y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for efa4.xxxxxx.ie

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: efa4.xxxxxx.ie
  Type:   connection
  Detail: aaa.bbb.ccc.ddd: Fetching http://efa4.xxxxxx.ie/.well-known/acme-challenge/THsxaWzFrLEV_agdoTpOdSMXvTjbS2OkFOCnBOLd5O0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Error running Let's Encrypt, please correct the problem and try again.
I can't see myself ever getting the network guys to allow a http connection to the server, even https would be a push so wondering if there is any guide on how to do this manually?

Appreciate any suggestions, thanks!
tochiwa94
Posts: 4
Joined: 22 Aug 2023 16:04

Re: Runng Let's Encrypt behind firewall

Post by tochiwa94 »

Check if the ports 80 and 443 are allowed from the firewall to your server with EFA. Mine is working with no problem in this way!
jkissane
Posts: 15
Joined: 14 Dec 2018 10:32

Re: Runng Let's Encrypt behind firewall

Post by jkissane »

Thanks for the suggestion, the chances of getting port 80 opened from the outside are zero!

After doing a bit of reading of postfix, I've enabled TLS manually using the SSL cert I already head for the web interface. Just means an extra step to remember next year when the cert needs to be replaced.
leep75
Posts: 12
Joined: 28 Jan 2014 17:48

Re: Runng Let's Encrypt behind firewall

Post by leep75 »

I'm in the same boat. I don't have 80 or 443 open to the EFA box (externally), but I am using Let's Encrypt for the internal side. I just put a calendar reminder to open those ports on my firewall, run the Let's Encrypt updater and then turn them back off. Good thing is, I'm a one man shop and I have access to my firewall...
Post Reply