Getting a certificate

The question is of this nature: what addresses (ip) does certbot and acme use to obtain a certificate? The fact is that the router is configured to connect to the Internet via a VPN and when trying to get a certificate, an error pops up, in order to get a certificate, I have to configure a direct connection through the provider, then everything goes without errors. Once every three months, you have to do such a procedure to get it, but you want to automate the process by adding the addresses (ip) that certbot and acme use to routing through the provider so that there are no errors, and not through a VPN.

The Let's Encrypt validation (ACME) server is required to connecto to your server. So it's an incoming connection from the ACME server to the IP address of the hostname you want a certificate for. So routing any outgoing connection from certbot to the ACME server so it bypasses your VPN service will not be enough to tackle your VPN problem.

The above is for the http-01 challenge, which uses HTTP connections to verify the hostname. However, perhaps you could also use the dns-01 challenge, which does not require such a HTTP connection from the ACME server to your hostnames IP address. Instead, it looks up a specific TXT record in the DNS, so it should work with your VPN. You can read more about the different challenge types here: Challenge Types - Let's Encrypt

1 Like

I didn't ask what would be enough and what wouldn't. I asked what addresses (ip) are used when applying for a certificate and from which the request comes, that's all. I will add it to the routing table and everything will fall into place, if it works perfectly, if not, we will look for another solution to get out of the situation or manually open it with switching the connection. If this is classified information, then I'm sorry. There is no way to use another method other than HTTP-01.

Let's Encrypt does not publish a list of IP addresses they use to validate.


Can you include/exclude services from the VPN?
If so, exclude HTTP and all requests and replies will avoid the VPN path.

1 Like

It's decided. By adding certain Let'sencrypt ip addresses to the routing table bypassing the VPN.

That doesn't seem to be the best decision.
The IPs can and will change without any notice.
You have no way to dynamically add and remove those IPs from your routing table.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.