I'm hosting a website on a public-facing server. On this website, I'd like to have as-strict-as-possible firewall rules; part of this approach involves whitelisting by port.
I've opened SSH to a few trusted addresses, and I've configured iptables to allow traffic from anywhere on HTTP and HTTPS, but with an overall DROP policy on INPUT.
Now I'm trying to set up Let's Encrypt for a domain which is pointed at that box, but this always hangs until I run iptables --policy INPUT ACCEPT for the duration of the certificate signing.
This is puzzling, since as far as I can tell:
- Proofs are generated in some specified subdirectory of
/var/www/ acme-tinysends a signing request toletsencrypt.orgover HTTPS- The proofs are fetched over HTTP from that directory by LE's servers
... So the only ports that should need to be open are 80 and 443.
As described above, the script hangs on the very first domain which it tries to get validated (until a timeout occurs) unless I set my global INPUT policy to ACCEPT, which, ideally, I'd like to avoid.
This persists after whitelisting all traffic from letsencrypt.org, acme-staging.api.letsencrypt.org, and acme-v01.api.letsencrypt.org
What other ports and domains, and on what chains, should I whitelist to allow for acme-tiny to have regular access to the LE servers when a renewal needed?
0 Answers