HTTP Challenge Origin

zmeggyesi · May 23, 2017, 6:10am

Hi,

I’m using certbot behind a Google Compute Engine firewall that, for security reasons, restricts incoming connections to a handful of origin addresses. This means that every time I need to run certbot, for instance to renew my certificates, I need to momentarily open up the firewall.

My question: does the HTTP Challenge have a defined set of IP addresses, perhaps even a single address, it will be using for all verification calls so that I can at least consider adding an additional exception to our firewall? Or is it using something like URLFetch meaning it shares addresses with a number of other services/applications and/or the origin range is vast and subject to change at any given moment?

Thank you in advance!

danb35 · May 23, 2017, 12:26pm

No, expressly and intentionally not. In fact, they've stated their intent to use Tor or other similar technologies to give a greater variety in requesting IPs.

schoen · May 23, 2017, 7:26pm

Please consider the DNS-01 challenge method (somewhat better supported by acme.sh than by certbot), where you can prove your control over the domain by making changes to your DNS zone file, rather than by receiving an incoming connection to your service.

system · June 22, 2017, 7:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.