My web server use a strong security settings, so 80 and 443 ports are closed by geo location. Also I have a domain which does not belong to me. But the website for it is located on my server, and it needs to get a ssl certificate. So I need to open 80 and 443 ports for certbot subnets. What subnets should I allow?
Sorry for my bad english
We don’t publish a list and they routinely change. If you don’t want to expose your website to the internet, you can consider using DNS validation instead.
Another option some people use is using the "hooks" in their ACME client to script opening up their firewall to everyone before renewing and then scripting closing it back down again afterward. But often using DNS validation is easier than using that approach.
DNS validation is good solution, but then "certbot renew" command don't work (maybe I do something wrong, but I get an error "PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')")
People typically don't use
certbot renew with manual authentication, which is not automatable.
Yes, to effectively automate DNS authentication (which is the ideal) one needs a DNS provider with an API, and a plugin for Certbot (or some other ACME client) which can use it.