Acme.sh: DoH blocked by firewall

Created on 14 Nov 2019  ·  10Comments  ·  Source: acmesh-official/acme.sh

Hello,
DoH is blocked by our corporate firewall and acme.sh doesn't work anymore for me. Is there any option to not use DoH? I'm using acme.sh --issue --dns dns_gd -d

picture joeomc

All 10 comments

you should contact your IT and request them to allow you a DMZ if issuing a cert is a critical component of your app

FernandoMiguel picture FernandoMiguel on 14 Nov 2019

Try with “—dnssleep 300”

Neilpang picture Neilpang on 14 Nov 2019
👍1

Try with “—dnssleep 300”

That fixed for me! Thanks! Do you mind elaborating why a sleep does prevent the doh call?

thiagocrepaldi picture thiagocrepaldi on 25 Jun 2020

It would be much better to have an option to disable doh in acme.sh file
a LOT of corporates block doh.
a lot of ISP's block doh -no, not all to spy to users, mostly to protect them from malware and the like

doh is evil and backwards when forced upon you, yes, by all means make it optional for those who live in repressed countries whos isp's do spy on them, but come on, lets be realistic here, the only ppl benefiting from doh are cloudfare and google. WHO LOG your requests ANYWAY. cloudfares initial post on it even said so, albeit for 30 days.

Ressy66 picture Ressy66 on 14 Aug 2020
👎1 👍1

@Ressy66 i use DoH/DoT just fine and never even touch cloudflare or Google for it.
There are many other alternatives

FernandoMiguel picture FernandoMiguel on 14 Aug 2020

we have ZERO intentions of using doh, in aperfect world with no scammers and malware, then it wouldnt matter, but we are far from perfect world and need to intercept domains to protect our users and we always will.
in this country doh is a backwards step in privacy we have strong privacy laws already, even with our meta data retention ;aw it explicitly forbids DNS and web traffic

doesnt matter no more after Neils turse comment he makes it clear we need to seek alternative method for updating LE certs now since he doesnt care what his users think.

Ressy66 picture Ressy66 on 14 Aug 2020

You know you can even run your own doh endpoint where your users connect.
You can also disable it for all the users in your network.
And if you read the comment above you would also know how to disable it for acme.sh

The fact that you don't seem to know any of these things is more of a sign of you being a troll than a responsible security person

FernandoMiguel picture FernandoMiguel on 14 Aug 2020

For anyone who sees this thread in the future.

Using --dnssleep 120 is the way and only way to disable doh checks.

We need to know how long we have to wait before we can continue to get the cert.

We have two ways: 1. we check dns records by doh checks. or 2. just use a --dnssleep 120 time.

Neilpang picture Neilpang on 14 Aug 2020

"The fact that you don't seem to know any of these things is more of a sign of you being a troll than a responsible security person"

If you look at it and go how do i disable doh where does it say that in --help ? NOWHERE smart arse.
and I am not interested in running my own doh, I made that clear, that does not make me a troll, it does however make you one
plonk

Ressy66 picture Ressy66 on 14 Aug 2020

@Ressy66 if the information is not good enough to feel free to to open a PR to the readme and cli help menu.
A better use of your time than complaining when the answer had already been provided in this very ticket

FernandoMiguel picture FernandoMiguel on 14 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

feiyu0 picture feiyu0  ·  4Comments
MarcusWolschon picture MarcusWolschon  ·  3Comments
luochenzhimu picture luochenzhimu  ·  3Comments
extensionsapp picture extensionsapp  ·  3Comments
haiopaii picture haiopaii  ·  3Comments