Page 1 of 1

Runng Let's Encrypt behind firewall

Posted: 23 Nov 2023 10:49
by jkissane
We were interested in turning on TLS on our EFA box (latest version). From reading on here, it seems I just needed to enable Let's Encrypt but ran into the problem below as the server is behind a firewall that only allows SMTP traffic through.

Code: Select all

Would you like to  Enable  Let's Encrypt? [y/n/c]
y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for efa4.xxxxxx.ie

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: efa4.xxxxxx.ie
  Type:   connection
  Detail: aaa.bbb.ccc.ddd: Fetching http://efa4.xxxxxx.ie/.well-known/acme-challenge/THsxaWzFrLEV_agdoTpOdSMXvTjbS2OkFOCnBOLd5O0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Error running Let's Encrypt, please correct the problem and try again.
I can't see myself ever getting the network guys to allow a http connection to the server, even https would be a push so wondering if there is any guide on how to do this manually?

Appreciate any suggestions, thanks!

Re: Runng Let's Encrypt behind firewall

Posted: 26 Nov 2023 02:30
by tochiwa94
Check if the ports 80 and 443 are allowed from the firewall to your server with EFA. Mine is working with no problem in this way!

Re: Runng Let's Encrypt behind firewall

Posted: 28 Nov 2023 07:37
by jkissane
Thanks for the suggestion, the chances of getting port 80 opened from the outside are zero!

After doing a bit of reading of postfix, I've enabled TLS manually using the SSL cert I already head for the web interface. Just means an extra step to remember next year when the cert needs to be replaced.

Re: Runng Let's Encrypt behind firewall

Posted: 04 Dec 2023 18:23
by leep75
I'm in the same boat. I don't have 80 or 443 open to the EFA box (externally), but I am using Let's Encrypt for the internal side. I just put a calendar reminder to open those ports on my firewall, run the Let's Encrypt updater and then turn them back off. Good thing is, I'm a one man shop and I have access to my firewall...