IP’s or fqdn required on firewall for nextcloud cert updates

I’ve noticed that my nextcloud cert doesn’t update on the helm unless I open up the inbound from internet firewall rules I have in place at my network edge. I’m assuming some cert renewal service needs visibility to the nextcloud service on the helm which necessitates exposing it.
Would like to know the fqdn(s) or ip’s I should allow access from to enable cert renewals.
@helm_community

I use a vpn whenever I’m off the local network and don’t require the nextcloud service be open to internet for remote access to it.

The only inbound rule I have for my Helm is 9443.

What source addresses do you allow inbound access via 9443?

Any. 9443 is the port used to access the file service.

Yes. I’m asking if anyone is aware of the ip’s to allow from the internet for the purpose of cert renewal.
I don’t allow access from the internet to my helm file server and would prefer to keep it that was as I can access it remotely thanks to my VPN.

Not sure why it would be a requirement for cert renewal. I had no issues with internal access before opening outside. If it really is, open 9443 and capture the traffic to see.

When renewing a cert, it’s common for one of the methods used to verify an admin owns the domain they claim is http verification.
The CA provides a key to the admin(server) requesting renewal. By exposing a file containing the key via http on the server requesting the certificate renewal, the CA can verify the person owns the domain. If the server is not exposed to the internet, the CA can not see the file to verify it… hence my assumption that this is the root cause of my issue.

What we are talking about appears to be two very different things: I am not having issues with internal access. I’m having issues with the cert not being renewed because my file server is not exposed to the internet so that the process I just described can take place.

None of the challenge types work over 9443 (https://letsencrypt.org/docs/challenge-types/). Since 9443 is the only thing I have open, and even before I opened 9443 I was able to access my device internally with a valid certificate, any challenge must not be going to “files.xxx.xxx”.

1 Like

What version is your certificate software? I know they had issues a while back with certificate renewal that required me to reboot my device.

EDIT:
This is the text of a response I received from Helm back August…

Hi -

We’re working on a fix for this right - there’s a workaround which is to reboot your Helm and it will fetch a new certificate.

Thanks,
Cassidy

That’s great information @KGMe, thanks!
My files server seems to have run into another issue, it’s rejecting connection attempts rather than throwing a certificate error after a reboot. I’m waiting to hear back from support.

1 Like

Ouch! Hope they can get you fixed quick!