I’ve been using certbot on my apache server with great success. However, I would like to restrict the incoming traffic as much as possible and thus restricting 443 TCP access.
Unfortunately, I could not find certbot public IPs.
What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.
Additionally, the only validation method that directly uses 443/tcp (tls-sni) is being phased out.
The remaining validation methods (http, dns) use tcp/80 (but follows redirects to https://) and (no port), respectively.
Yeah, I’ve seen that in the faq, that’s why I’ve asked about it here.
Phased out? Could you please tell me more about the DNS method? As I do not want my server to be visible from the WAN to all IP addresses, this might be interesting. Or maybe it needs to use both HTTP and DNS.
Yes, DNS is a good validation method to use if you want to completely hide your server from the internet. In this case Let’s Encrypt does not need to be able to connect to your web server at all.
It works by requiring you to create _acme-challenge TXT records on the domains you want certificates for.