Auto renewal and region blocking?


#1

I am running my site from home (Europe) on a Synology NAS. I have set up my webserver with region blocking, only allowing certain regions to access my server.

The Syno NAS automatically renews my cert, but Let’s Encrypt need access to port 80. So my question is:

From what country, or countries, is Let’s Encrypt probing servers?


#2

For now it’s just the US, but that may change in the future without warning so you should allow access to /.well-known/acme-challenge/ from everywhere.


#3

To add to @cool110’s answer this is what we say in regards to IP addresses & port 80 firewalls in the integration guide:

Let’s Encrypt IPs
Let’s Encrypt will validate from a number of different IP addresses in the future, and will not announce which ones in advance. You should make sure your validation server is available to all IPs.

Some people who are issuing for non-HTTP services want to avoid exposing port 80 to anyone except Let’s Encrypt’s validation server. If you’re in that category you may want to use the DNS challenge instead.

Does Synology’s ACME integration support the DNS challenge method? If it does not you may wish to create a feature request with the maintainers.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.