Recently I’ve installed luci-app-banip on my OpenWrt router and blocked most countries from accessing my services on my network. Not seeing why I would want any of that traffic I also blocked the whole of the ARIN registry, responsible for IP addresses from Canada and the United States.
Edit: Note this is only for inbound traffic. Outbound traffic is allowed no matter the target country.
Fast forward a few weeks and my certbot renewals fail with the following error: Failed to renew certificate enter.domain.here with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)
Confused af I start looking for solutions and as so often only find useless or completely ridiulous solutions (lowering my MTU to 1300, what? WHY?). Finally I find some enlighted figure that says they recently enabled a blocklist for certain countries and that was the issue for them.
Now I make the connection to my use of banIP, re-allow the USA and my cert renewals start working again. Hooray!
However, there are two things bothering me:
- Why would such a block even interrupt my renewals? I’m using DNS challenges and the ACME servers should only check the DNS entries, not where those entries actually redirect to. The DNS server/root isn’t in my home network, so isn’t affected by any firewall shenanigans I do here.
- How can I make an exception for the Let’s Encrypt ACME servers while blocking the rest of the ARIN IP space?
I see there’s the option for ASN selection and external allowlists:
Does anybody have an idea on how to configure this so that Let’s Encrypt continues to work without compromising on my network security?
(Edit: And just for clarity, I do not live in the US or anywhere on the American continent.)
Outbound traffic has never been blocked, so it’s not a matter of me or my “certificate manager” being able to reach Let’s Encrypt.