Letsencrypt certbot-nginx plugin. How does it work?

Question

I success with using certbot-nginx plugin.

I know that it is opensource and hosted on github.

But I do not have enough skill to analyze this code.

For example:

I have several internal sites which is proxied by nginx. All virtualhost configs has following access restrictions by anonymous:

allow 192.168.1.0/24;
allow 192.168.0.0/24;
allow 10.88.0.0/16;
allow 127.0.0.1;
# gate1.example.com
allow X.X.X.X;
# gate2.example.com
allow X.X.X.X;
# other gate's
# .......
deny all;

This access restrictions prohibits letsencrypt servers, as well all other undefined hosts.

But certbot renew --nginx performs certificate update normally.

How does it work ?

If it is secure ?

Answer 1

I was asking the same question myself so I did some digging around and here is what I found out:

Certbot mainly uses 80 or 443 ports for challenges (http-01 and tls-sni-01) to verify domain ownership as it is described in certbot docs:

Under the hood, plugins use one of several ACME protocol challenges to prove you control a domain. The options are http-01 (which uses port 80), tls-sni-01 (port 443) and dns-01 (requiring configuration of a DNS server on port 53, though that’s often not the same machine as your webserver). A few plugins support more than one challenge type, in which case you can choose one with --preferred-challenges.

Looking at certbot_nginx plugin implementation of http-01 challenge we can see that plugin edits nginx configuration to include additional server block that is used to perform the challenge:

  def _make_server_block(self, achall):
    """Creates a server block for a challenge.
    :param achall: Annotated HTTP-01 challenge
    :type achall:
        :class:`certbot.achallenges.KeyAuthorizationAnnotatedChallenge`
    :param list addrs: addresses of challenged domain
        :class:`list` of type :class:`~nginx.obj.Addr`
    :returns: server block for the challenge host
    :rtype: list
    """