ACME Challenge source IP's (again)

Howdy,

There's should be an options to specify the certbot client, which ip's should he use.
ATM there's a problems, where the network 47.0.0.0/8 from alibaba is completly compromised, and there's some ip's that came from this network.
With iptables i can block 47.0.0.0/8 but not certbot fails.

I'm not sure I follow. You're talking about Certbot, but also "IP's he should use". What "IP's" do you mean? Because Certbot is an ACME client and cannot and does not control which IP addresses the challenges are send from. That's done on the ACME server side and the ACME client cannot influence that.

Also, I'm pretty sure Let's Encrypt (if that's the ACME CA you're using that is.. I assume you do, otherwise you probably wouldn't have come here) does not use any Alibaba IP address to send their challenges from.

TL;DR: I don't completely follow, can you elaborate and clarify more?

That said, the answers in this thread won't be any different than in your previous thread, sooo..

4 Likes

Hello @decimal,

So yes the Let’s Encrypt ACME Challenge IP Addresses change, and change again.

The symptom you describe is the IP Addresses change,
what is the fundamental issue(s) you are trying to solve?

1 Like

Let’s Encrypt challenges don’t originate from alibaba.

Primary: see Timeout during connect - #6 by mcpherrinm

Secondary: Use AWS. They have IP address files you can get from them.

The standard disclaimer applies, these may change at any time without notice.

4 Likes

To be clear, (as far as I know) this also includes a change of provider, e.g. a non-AWS hosting provider for the secondary validation servers, if and when Let's Encrypt deems that to be necessary. Not just the IP addresses used at the current AWS vantage points.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.