Block a country but allow a specific domain from that country

[tricky1024]

I am having an issue in that I block the US and would like to use lets encrypt auto certificate renewals and unless I allow the US back through I cannot renew. LetsEncrypt have said their IPs will change but their domain name will remain as follows:

acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org

So I would like to specifically allow just these domains.

[friendly-bits]

Hi!

geoip-shell deals with the system firewall, and that firewall doesn't understand the notion of domain names. It works with IP addresses. Technically, it is possible to periodically resolve certain domain names to IP addresses and add those addresses to trusted IP addresses list in geoip-shell. This has a few problems: DNS resolution is relatively slow, which limits the number of domains it is feasible to resolve; if IP addresses change after the last periodic DNS resolution then you get incorrect IP addresses, so this won't work; if you only need to access the given service (certbot) once in a long while then there is no point to keep an updated ipset with its IP addresses at all times.

So while technically it is possible to implement, I think at least for the case of certbot, a better solution is to use its built-in feature of pre-hook and post-hook scripts. German-speaking users of geoip-shell came up with this solution here. If you don't speak German, Google Translate seems to translate the text to English pretty well.

[tricky1024]

so yes the IP's are loaded and look ok, the cert renewal is actually working but i need to test more.
I would be happy with this method to allow domain names and it could be good generally to have this feature as i know i could use it to even further lock down the machines. thank you again for looking at this so quickly

[friendly-bits]

the cert renewal is actually working

I wonder what changed since you wrote above that certbot was still failing?

[friendly-bits]

Also I thought that Docker could only use iptables? Are you using both iptables and nftables rules on the same machine?

[tricky1024]

not sure what changed if anything, i was have some issues in NPM but they are resolved and it seems ok for the moment, i will still go through and test but everything is up to date for the moment, i might created a few rouge hosts to further test. no just nftables, i was not aware of that either and yet it does block correctly. ill do some research on this, i only use inbound rules.

[tricky1024]

ok its not working, more digging has found the servers used by Lets Encrypt are actually cloudflare proxies and not the source boxes, so my guess is the IP lookup is one IP and the other is cloudflare. i need to find another way, i might use DNS instead but would love a way to make this easier.