I ran into an issue recently where HTTP-01 secondary validation challenges were being dropped by my firewall. I blacklist all AWS ASNs on ingress because they are a primary source of nuisance traffic. My site expects no legitimate clients from AWS and the number of bots, crawlers, hacking attempts, and other undesirables has gone down considerably since putting these protections in place.
That said, this has caused an issue with certificate renewal. After the initial challenge, Let's Encrypt performs a secondary validation by reattempting it from multiple different geographically-dispersed IPs (I assume this is to protect against BGP hijacking etc.). All of these secondary IPs resolve to *.compute.amazonaws.com hosts.
As you can see this poses a bit of a problem.
Is there a published whitelist of the secondary validator IPs? I've collected a least a dozen of them but I assume there are more and they are subject to change.
My preference is to continue filtering AWS as this has been an effective mitigation technique against many low-rent web scrapers. Thanks!
No, there is currently no published whitelist for validation IPs and yes they are subject to change. You need to at least allow all http requests to the path /.well-known/acme-challenge/, so if your firewall is capable of http traffic inspection you should do that.
Thanks for the prompt reply. Yes I considered doing that. It would require moving where I currently do the filtering into the proxy but I think it is doable. I assume permitting all traffic to that URL path would be wise as Let's Encrypt may employ more than just AWS as validators now or in the future.
You've got it. Another option some people use, is to only allow traffic during the times that they're renewing. Depending what your ACME client offers for "hooks" and the scripting capability of your firewall, this can be a little challenging to set up, but some people have done it.
Yet another option is to just allow all traffic on port 80, set up to handle validation requests and redirect everything else to https, but have filtering on port 443. So yes, those "low-rent web scrapers" would send some traffic, but since it's only redirection responses it's not impacting your "real" web page serving.
You may have already seen this, but this post describes how and why Let's Encrypt checks from multiple locations: