We are having problems with our firewall. It seems that the IP from outbound2.letsencrypt.org it's beeing dropped because it's included in a mailicious ip list from ThreatRadar.
As I've seen several questions in the list about firewall problems, perhaps could be a good idea to check for IP blocking lists in letsdebug service.
Thanks for your work with Let's Encrypt.
I believe LetsDebug is written by @alexzorin , so tagging him.
The account he usually uses is @_az.
Yeah I was in doubt about the accounts
Thank you for letting us know! We've just reached out to Imperva ThreatRadar, and would appreciate it if (as a customer) you could also do so.
I haven't found a way for non-customers to query this particular list, but this is still a great suggestion.
That's a good thought, though this is feels like something that Let's Encrypt should monitor themselves, as they have the authoritative list of validation IP addresses.
Ideally (in our non-ideal ecosystem) monitoring should probably happen both on our side and with tools like letsdebug, because we're not always able to convince blocklists to de-list our validation IPs. So, unfortunately, this will be something that unavoidably comes up during in-depth troubleshooting from time to time.
Would you be willing to share the list of IP addresses used in outbound validation?
Alternatively we could look at setting up a monitoring solution and probe these ourselves, but that's not ideal.
Edit: I am one of the authors of let’s debug.
I was not aware.
I've just been pinging _az the whole time.
Sorry @eggsampler, I'm working here as an external consultant and I don't have access to the list of IP addresses.
But being ThreatRadar a private product I doubt that someone could share it.
Apologies, I meant to reply to JamesLE, not a general reply to the thread - sorry!
Oh, that slipped my mind; of course you'll need a list in order to check whether they're blocked anywhere. Hmm, this is a tricky one.
As you know, we currently don't disclose those IPs for a few different reasons. This seems like a scenario where those reasons don't apply. If my colleagues agree, the challenge will be setting up a process/pipeline for communicating IP changes, which happen pretty often.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.