Community discussions

MikroTik App
 
VincentL
newbie
Topic Author
Posts: 34
Joined: Fri Feb 03, 2017 3:27 pm

[Let'Encrypt] Allow matched regexp to connect

Mon Nov 29, 2021 10:46 am

Hello,

For one of our customer, we are using an ACL to filter inbound connection to ports 80 and 443. This ACL is renewed every days by a script.
Now, I need to allow IPs from Let's Encrypt to renew certificate. Connexion from Let'sEncrypt use this template : http://*/.well-known/acme-challenge/*
I've tried to use the opposite way of method2 and 3 described here (https://www.youtube.com/watch?v=HCL2PdU ... ickTechTut) without success.
So, which is the right way to allow inbound traffic that match to a template ?

Thank you for you help,

Vincent
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Let'Encrypt] Allow matched regexp to connect

Mon Nov 29, 2021 10:55 am

Use an address-list for these domains:

acme-v01.api.letsencrypt.org --> deprecated
acme-staging.api.letsencrypt.org --> deprecated
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org

https://letsencrypt.status.io/
Last edited by msatter on Mon Nov 29, 2021 11:04 am, edited 1 time in total.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: [Let'Encrypt] Allow matched regexp to connect

Mon Nov 29, 2021 11:04 am

Not sure if possible. Trick is, that in order to get the url, You need to firstly allow whole TCP handshake and only then you may receive HTTP GET request. The URL is nowhere else before this request.

That means you have to let ALL connections on port 80 to be established, until the first HTTP request comes in. Only after that, you may decide if you let them continue (from LetsEncrypt) or block (anything else).

Your typical firewall setup isn't good for this. Quick look at the video shows that neither method will be suitable:
- Method 1 is extremely CPU intensive and plain wrong. They shouldn't even mention it.
- Method 2 works only for DNS (so you can match only hostname, not path)
- Method 3 works for encrypted traffic but again, only for hostname, not path.

There might be some complicated way of doing it with counting packets/bytes etc, but I am too lazy to think that much.

Easier approach would be a reverse proxy (e.g. HAProxy, NGINX etc), which will accept and forward only allowed paths. I personally use similar approach to split my SSTP/HTTPS traffic from a single port, as well as each HTTPS stream to separate application server. I run my proxies in docker on RaspberryPi and it works quite well.

edit:
Use an address-list for these domains:
Interesting! This goes directly against Lets Encrypt FAQ. Are you sure this is full list of addresses which are sending HTTP validation requests? My understanding is, these addresses are only for clients to submit certificate requests and then validation may occur from any other IP

edit2: sorry, I shouldn't edit I gues...
Last edited by vecernik87 on Mon Nov 29, 2021 11:09 am, edited 2 times in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Let'Encrypt] Allow matched regexp to connect

Mon Nov 29, 2021 11:07 am

Why use L7 when the IP addresses are available throught DNS?
 
VincentL
newbie
Topic Author
Posts: 34
Joined: Fri Feb 03, 2017 3:27 pm

Re: [Let'Encrypt] Allow matched regexp to connect

Mon Nov 29, 2021 11:28 am

Hello,

Thank for your replies.
@msatter : I've tried with these URL without success because this is for request. As far as I understand, replies to request come from multiple IP addresses which are not published by Let'sEncrypt (https://letsencrypt.org/docs/faq/#what- ... web-server).
@vecernik87 : I can't use a reverse proxy for the moment.

I'll have to do it manually by disabling the ACL, or, at least, schedule it with Scheduler in MKT and Crontab.

Thank again,

Vincent
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Let'Encrypt] Allow matched regexp to connect

Mon Nov 29, 2021 11:57 am

Not many people know that if you also use IPv6 then you have also populate the IPv6 address-list.

Letsencrypt uses outbound servers (only IPv4) to check the challenge:

outbound1.letsencrypt.org
outbound2.letsencrypt.org

https://community.letsencrypt.org/t/whi ... ion/115842
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: [Let'Encrypt] Allow matched regexp to connect

Mon Nov 29, 2021 2:32 pm

That is good link actually. It again says that HTTP validation can come from any IP and there is no guaranteed list. However, one of replies suggests updating firewall with --pre-hook and --post-hook, which should easily work with mikrotik.

Or use DNS challenge if possible. (I went this way)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Let'Encrypt] Allow matched regexp to connect

Tue Nov 30, 2021 10:18 pm

I went also to DNS because then, you only get wildcard.

Who is online

Users browsing this forum: 4l4R1, esj, Google [Bot], GoogleOther [Bot], h1ghrise, Yahoo [Bot] and 86 guests