I have read that you do not have a IP whitelist of the servers that issue the certs. Do you have a URL that is used? For our phone system that supports mobile users I have been asked to open TCP ports 80 and 8083. I want to restrict the source that would have access across those ports.
The firewall only needs to be open while you obtain/renew certificates. This can often be handled using a hook with your ACME client.
It is considered an anti-pattern to geoblock while solving ACME challenges. This question has been asked and answered here exhaustively. A search of the archives will give you all the reasons why your request is not supported.
Well, port 8083 is never used by Let's Encrypt anyway.
Can you explain more about why you need to open those ports and what the relationship with Let's Encrypt might be? Because currently I don't really see the relationship.
Certainly for incoming TCP port 80 http traffic you can optionally just allow /.well-known/acme-challenge/ requests, assuming you have content aware (application) firewall. That will let you complete HTTP based domain validation.
Alternatively, see also DNS domain validation (updating a TXT record during renewal), which doesn't require any open incoming ports.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.