Hi. After receiving an email about "TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019. Must update ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or certificate renewals will break and existing certificates will start to expire", I when to this site and read instructions on what to do mitigate this.
Here is my info:
certbot --version
certbot 0.26.1
but when I run:
certbot renew --dry-run
I get this error:
Attempting to renew cert (my.server.com) from /etc/letsencrypt/renewal/unix.com.conf produced an unexpected error: Failed authorization procedure. ... my. server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain
Thanks. Yeah, when I flushed out my IP tables entries of blocked IP addresses, it worked fine; so the issue was our firewall.
Is there a list of top level domains or IP address blocks the certbot uses when renewing?
We get so many rouge bots, brute force login attempts and more, our server routinely scans our log files and updates IP tables and will block entire networks when we see bad activity from non-human actors, like bots.
I would like to create a white-list of all the networks certbot uses.
We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.
HTTP-01 validation ultimately is not compatible with the practice of dropping traffic from hosts you consider malicious. In future Let's Encrypt will make simultaneous requests from multiple networks in order to defend against possible MITM attacks - so if you are blocking hosts for harmless (and easy to identify) automated traffic, it's not going to go well.