Let's Encrypt Outbound Traffic

qombi · March 18, 2024, 7:39pm

I am using Let's Encrypt HTTP-01 challenge which is working fine. I haven't moved into production yet with it. We have geoblocks for inbound and outbound traffic to specific countries. However all my services are https public facing and we have http redirects that the challenge is setup on, which I am able to use above the geoblocks in place. My question is, am I going to run into trouble with the outbound traffic?

I am aware of the FAQ that states they do not provide a list of IPs or domains to whitelist. I am also aware for validation multipoint is used. My acme agent points to:

{
"0ipZyjlUikk": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

Which all is permitted. I am curious if anyone knows if there are more domain possibilities, and/or if it's possible communication happens outside of the USA on outbound traffic?

Bruce5051 · March 18, 2024, 7:41pm

Hello @qombi, welcome to the Let's Encrypt community.

Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

And see Let's Encrypt is adding two new remote perspectives for domain validation

Bruce5051 · March 18, 2024, 7:42pm

Also moved from Issuance to Help.

Osiris · March 18, 2024, 7:46pm

How do you mean? For the ACME server? Currently only acme-v02.api.letsencrypt.org is being used. No guarantee for the future though, but it probably would use a similar scheme.

I don't think the ACME server endpoint would change to a location outside the US, but I'm not a member of the LE team, so don't hold me to this statement

Bruce5051 · March 18, 2024, 7:54pm

Also I believe not all of the remote validators are in the USA.

orangepizza · March 18, 2024, 7:56pm

api address is cloudflare anycasted IP currently, so it's unlikely hit by geoblock:

but for inbound(toward your server) there will be vantage points from multiple continents will be required in future (from 2026 iirc?) so you'll need to prepare for it

Osiris · March 18, 2024, 8:03pm

I don't think OP is interested in the validation servers.

Bruce5051 · March 18, 2024, 8:04pm

OK.

mcpherrinm · March 18, 2024, 8:42pm

We may change our API's IP address (outbound from your perspective) in the future. However, a rough current state of the world is:

All our API traffic is to acme-v02.api.letsencrypt.org. This is unlikely to change short to medium term at least.

Some ACME clients also check a certificate's OCSP and/or CRLs for validity. Those checks happen to various domains under o.lencr.org and c.lencr.org. Today that's r3.o.lencr.org, e1.o.lencr.org, r3.c.lencr.org, e1.c.lencr.org. We will soon have additional hostnames for new intermediates that we have just created, but OCSP and CRL hostnames are not yet configured.

qombi · March 21, 2024, 1:45am

Thank you everyone for the responses, very kind to spare the time to help answer my questions!

stbu · March 21, 2024, 9:04am

Will the OCSP hostnames for R10-14 be http://r1{0,1,2,3,4}.o.lencr.org just like it is http://r3.o.lencr.org for R3. Asking for Firewall-Whitelisting...

mcpherrinm · March 21, 2024, 2:01pm

Yes, we will follow the same pattern. If you’re changing things, you probably want to add E5-E9 too, if or when you get certs issued from an ecdsa intermediate.

system · April 20, 2024, 2:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.