Certificate renewal communication via HTTP with which LE sources?

humke · February 14, 2018, 3:36pm

I am using a LE cert on my Synology. To be able to retreive/install the certificate I had to open port 80 to my Synology and I understand this has to remain open to accomodate for automatic renewal.

I checked my firewall logs to see from which LE sources communication was done to get the certificate. That seems to be outbound1.letsencrypt.org. I also checked that an outbound2.letsencrypt.org exists. So I have added those 2 FQDN entries in my firewall policy to be allowed to communicatie with Synology on port 80. Other sources are not allowed.

Is it true that port 80 needs to remain open for automatic cert renewal to happen? Or is this port only needed during the first installation/setup of the certificate?
Is there a way to verify/know that the 2 FQDNs are indeed all the servers that LE uses during renewal communication? Ofcourse I would like to have the number of possible sources that are allowed to communicate to port 80 to be as small as possible. Also, I will have an answer when renewal fails in the future but I much more prefer to have a correct policy in my firewall before that, so that the cert keeps valid.

Kind regards,
humke

danb35 · February 14, 2018, 3:46pm

Yes, that's correct.

No, there is not; this is explicitly not the case. See:

jared.m · February 14, 2018, 3:47pm

If you are using http-01 challenges, yes, you will need port 80 open during any renewal attempts. You can script this with pre-hook and post-hook to open and close it, though.
Whitelisting validation authorities is officially not a supported setup. They are not disclosed and subject to change at any time.

The other option, of course, is to use the dns-01 challenge type.

system · March 16, 2018, 3:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.