*** Certificate renewal failed ***

An allow list? How many people access your domain? If meant for the general public that won't allow that. See my failures to your "home" page from my test server.

Let's Encrypt does not publish the IP addresses used by its authentication servers. There are multiple locations world-wide and the IP change regularly. See this FAQ and its link: FAQ - Let's Encrypt
And also this about world-wide validation: Multi-Perspective Validation & Geoblocking FAQ

Assuming you require limited HTTP(s) access you have options:

Look at something like AWS WAF which allows you to make rules about access. You could allow any URI with /.well-known/acme-challenge/ on port 80 and block all others, for example.

Use a DNS Challenge (link here). Assuming your DNS provider allows queries from anywhere as these must be allowed world-wide for LE authentication too. To automate requires your DNS provider to support an API to add/remove TXT records for authentication.

If your DNS provider does not offer an API you could setup your own DNS server just for the challenges (see acme-dns). Or CNAME the authentication record to another provider that does. Or of course switch DNS providers (Route53 integrates with Certbot).

Lastly, you could look at using a different Certificate Authority. You are still going to have some validation issues if you severely restrict access but perhaps you can find a CA that is currently less robust. But note other CA may well be or become similar to LE in this regard over time.

5 Likes