I'm aware this is addressed in the FAQ as well as a couple of forum posts, but I was wondering if I could get a bit more information.
We have a web server that is being used for webhook endpoints for various APIs and services. Because the information this server handles is very sensitive, we have the firewall for it extremely filtered. This works fine until it's fine to renew our cert with certbot and we have to temporarily open the firewall for the challenge to complete. I totally understand the aversion to publishing a list of IP subnets to expect, but the firewall we use also supports referencing domain names. I was wondering if there was a domain name that I could reference that would point to the current IP at that given time for this server in the firewall instead to avoid this.
Thanks! The firewall is a separate entity in this case, as well as our DNS server, but I might be able to make something work with a bit of restructuring.
The IPs rotate frequently as we use cloud instances for some of the validation, so even DNS wouldn’t work well as new instances could come up before DNS caches have updated. We will likely use more cloud providers in the future, too, so just allowing our current providers isn’t great either.
One thing you can do is run a separate DNS server just for renewing certificates, and use a CNAME to point to that server.
If all your "sensitive" connections are via HTTPS, then maybe you don't need to use HTTP to connect to that same system/process/etc.
You could leave port 80 open and use an ACME client in "standalone" mode.
That way, the only HTTP connections are to the ACME client - and only while it is running.