We have some servers which use LetsEncrypt, but are blocked by our firewalls from being accessed by anyone outside the US. We have a rule in the firewall that we can turn on, run

certbot renew

, then turn off. It simply drops the protection from the servers.

For the past week, one of our technicians – who has done this a bunch of times – could not get it to work. She escalated it to me. Won't go through the troubleshooting steps, but you can imagine. Bottom line was, it was not available from the authenticator site.

Finally, I found https://letsdebug.net/, specifically designed to find issues like this (for letsencrypt only) and tested our server with them. They found there was absolutely no connection to the server, while I was easily accessing it from my workstation. My thought: Firewall.

I turned off all firewalls on the server, turned the one on the router off and on, still same issue.

Finally, I noticed that when I went into Firewall | Aliases on the router, the Current Tables Entries was at 97%. Did a little research, then went into Firewall | Settings | Advanced and modified the following entries. Values in parenthesis are original ones

• Firewall Maximum States: 1000000 (814000)
• Firewall Maximum Table Entries: 1500000 (1000000)

Went back to Firewall | Aliases and my tables were now at 52% (it was the Firewall Maximum Table Entries). Turned the “let everyone in” rule on and https://letsdebug.net showed green. Ran

certbot renew

and all was well.

Note that I have 8G of RAM total on these routers, and increasing the entries isn't even showing up on that. Still sitting at 15%.

URL's that helped me are:

• https://forum.opnsense.org/index.php?topic=42221.0
• https://forum.opnsense.org/index.php?topic=14638.0