Hello! I have a script that validates certificates (released via Let's Encrypt).
The host on which it is executed needs to restrict access to the Internet, but maintain access to external addresses Let's Encrypt CA (whitelist).
I checked with WireShark where exactly it is accessing and what port \ protocol.
You may not want to restrict the access to a set of IP addresses, rather to a set of URL's. That's why @orangepizza's idea for a secure proxy is very good.
In fact you may restrict to IP addresses, if you manage the list of IPs dynamically, via looking up the IP of the CRL hosts frequently, and updating the list. It isn't pefect, and I think it is not worth the effort.
Get your certificates on a host that doesn't need to be restricted and deploy them to a secrets vault (and pull them periodically on the target host), or ssh/sftp then to the target host.
Why do you need LEs external IP addresses when you're validating certificates?
Or perhaps I just don't follow what you mean with "validates certificates"?
Now, if you'd say "validating hostnames", then we're talking about something else. But that's not what you're saying. You mention "validates certificates" quite clearly?
