I am using a LE cert on my Synology. To be able to retreive/install the certificate I had to open port 80 to my Synology and I understand this has to remain open to accomodate for automatic renewal.
I checked my firewall logs to see from which LE sources communication was done to get the certificate. That seems to be outbound1.letsencrypt.org. I also checked that an outbound2.letsencrypt.org exists. So I have added those 2 FQDN entries in my firewall policy to be allowed to communicatie with Synology on port 80. Other sources are not allowed.
- Is it true that port 80 needs to remain open for automatic cert renewal to happen? Or is this port only needed during the first installation/setup of the certificate?
- Is there a way to verify/know that the 2 FQDNs are indeed all the servers that LE uses during renewal communication? Ofcourse I would like to have the number of possible sources that are allowed to communicate to port 80 to be as small as possible. Also, I will have an answer when renewal fails in the future but I much more prefer to have a correct policy in my firewall before that, so that the cert keeps valid.
Kind regards,
humke