HTTP Challenge Origin


I’m using certbot behind a Google Compute Engine firewall that, for security reasons, restricts incoming connections to a handful of origin addresses. This means that every time I need to run certbot, for instance to renew my certificates, I need to momentarily open up the firewall.

My question: does the HTTP Challenge have a defined set of IP addresses, perhaps even a single address, it will be using for all verification calls so that I can at least consider adding an additional exception to our firewall? Or is it using something like URLFetch meaning it shares addresses with a number of other services/applications and/or the origin range is vast and subject to change at any given moment?

Thank you in advance!

No, expressly and intentionally not. In fact, they've stated their intent to use Tor or other similar technologies to give a greater variety in requesting IPs.

Please consider the DNS-01 challenge method (somewhat better supported by than by certbot), where you can prove your control over the domain by making changes to your DNS zone file, rather than by receiving an incoming connection to your service.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.