Failing to create certificate with certmanager due to IP restriction


#1

I’d like to know if it’s possible to get the IP of the CA that attempts a http01 handshake when generating certificates with certmanager in aks (Azure kubernetes).

The network security rules in place prevent the handshake, I think it is because the IP of the CA is blocked when attempting the initial handshake.


#2

You have to allow all IP addresses to access the /.well-known/acme-challenge/ directory.

What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

Why do you think that’s the problem? Are the security rules blocking all IP addresses except for those that have been whitelisted, or do they only have a blacklist of specific IPs?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

Thanks, I had a feeling it would not be that easy to whitelist the IP used for the handshake.

I’m securing access to my cluster by whitelisting only the IPs that are supposed to access it.

Unless I’m missing something, I will have to find a way to disable the security when the handshake occurs in this case.


#4

Or you could handle all the port 80 traffic with a less restricted system - apart from the https system and folders.
They need only share a common location to store the cert files.


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.