[ACL] Looking for Let'sEncrypt IP

Hello,

I can't renew our domains certificats anymore because our websites are behind a firewall.
This firewall use ACL to filter inbound connexion.
The ACL is renewed each day by a script. In this script, we convert to IP and allow these URL : acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org.
Everything worked fine until now. If I disable ACL, I'm able to renew certificate.
Does Let'encrypt changed their URL for renewing certificate ?

Regards,

Tiki_

Yes. At least: probably. The IP addresses can change at any time. Please see this FAQ entry: FAQ - Let's Encrypt and also the link to the page about Multi-Perspective Validation.

The above assumed incoming connections for validation by the way.

2 Likes

Osiris,

Thank you for your reply.
I understand that IP can change at any time. I alway thought that converted URL was enough as that worked until now.
For security, I can't open ACL to world. I can use a range of IP if available.
As I understand it, there is no possibility other than renewing by hand by disabling the ACL

Tiki_

1 Like

Maybe you can use deep packet inspection to allow the path /.well-known/acme-challenge/* for any IP address.

1 Like

Osiris,

Very good idea !
I think I can use the layer 7 of my router to allow this path.
I ll try it tomorrow.

Thank you.

Tiki_

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.