Certbot IPs to authorize through 443 port


#1

Hi everyone !

I’ve been using certbot on my apache server with great success. However, I would like to restrict the incoming traffic as much as possible and thus restricting 443 TCP access.
Unfortunately, I could not find certbot public IPs.

If someone can help, I’d be very grateful :slight_smile: Thanks

Andy


#2

From https://letsencrypt.org/docs/faq/ :

What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

Additionally, the only validation method that directly uses 443/tcp (tls-sni) is being phased out.

The remaining validation methods (http, dns) use tcp/80 (but follows redirects to https://) and (no port), respectively.


#3

Well, that was fast. Thank you very much!

Yeah, I’ve seen that in the faq, that’s why I’ve asked about it here.

Phased out? Could you please tell me more about the DNS method? As I do not want my server to be visible from the WAN to all IP addresses, this might be interesting. Or maybe it needs to use both HTTP and DNS.


#4

Yes, DNS is a good validation method to use if you want to completely hide your server from the internet. In this case Let’s Encrypt does not need to be able to connect to your web server at all.

It works by requiring you to create _acme-challenge TXT records on the domains you want certificates for.

For automatic renewal, you will need to use a Let’s Encrypt client that supports updating your domain’s TXT records in a programmatic way (via API or other means). An example using Certbot to update Cloudflare-hosted DNS records is here.

Your options will depend on where your domains’ DNS is hosted.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.