I’m using certbot behind a Google Compute Engine firewall that, for security reasons, restricts incoming connections to a handful of origin addresses. This means that every time I need to run certbot, for instance to renew my certificates, I need to momentarily open up the firewall.
My question: does the HTTP Challenge have a defined set of IP addresses, perhaps even a single address, it will be using for all verification calls so that I can at least consider adding an additional exception to our firewall? Or is it using something like URLFetch meaning it shares addresses with a number of other services/applications and/or the origin range is vast and subject to change at any given moment?
Thank you in advance!