Certbot subnets

Hi!

My web server use a strong security settings, so 80 and 443 ports are closed by geo location. Also I have a domain which does not belong to me. But the website for it is located on my server, and it needs to get a ssl certificate. So I need to open 80 and 443 ports for certbot subnets. What subnets should I allow?

Sorry for my bad english :roll_eyes:

1 Like

We don’t publish a list and they routinely change. If you don’t want to expose your website to the internet, you can consider using DNS validation instead.

7 Likes

Another option some people use is using the "hooks" in their ACME client to script opening up their firewall to everyone before renewing and then scripting closing it back down again afterward. But often using DNS validation is easier than using that approach.

7 Likes

Hi Peter!

DNS validation is good solution, but then "certbot renew" command don't work (maybe I do something wrong, but I get an error "PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')")

People typically don't use certbot renew with manual authentication, which is not automatable.

4 Likes

Yes, to effectively automate DNS authentication (which is the ideal) one needs a DNS provider with an API, and a plugin for Certbot (or some other ACME client) which can use it.

6 Likes