About Communication IP Address Restrictions

Help
1

The usage environment has strict policies and the following restrictions, but I would like to use Let's Encrypt:

  • DNS authentication cannot be used
  • It is mandatory to whitelist communication IP addresses within the smallest possible range

I have confirmed in the FAQ that it states not to recommend whitelisting source IPs, but is there any way to handle this?

2

@k-s-01, welcome to the community! :slightly_smiling_face:

If you have such restricted environment, may be public certificate is not the appropriate way to go, rather private certificate management?

4 Likes
3

Consider using a different certificate authority? Let's Encrypt does not and will not publish its validation IP addresses.

3 Likes
4

The smallest possible range in this case is: 0.0.0.0/0 and ::/0 :wink:

5

I don't know if this FAQ about multi-perspective validation is the one you're referring to, but you may want to read it if you haven't.

Some options you might want to explore include:

  • Allowing all traffic but only for the time that renewals are running (with a custom hook in your ACME client that opens up the firewall before validations and closing it back again afterward).
  • Using mechanisms other than source IP to determine whether or not the request should be allowed. (So if it's a request during the time that a renewal is running, and the request User Agent says "Let's Encrypt", and the request is for a path under /.well_known/acme-challenge/, then make sure to allow that, but you can still block other requests.)
  • If your policies allow for opening port 53 everywhere even though they don't allow for port 80 everywhere (for whatever reason), then using something like acme-dns can make DNS authentication possible in some cases even if the "main" DNS server is pretty locked down.

But in general, as @bruncsak said, if you're not allowing the public to access the system, then using the public WebPKI may not be the best approach for whatever you're really trying to accomplish.

4 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.