I am looking to set up LetsEncrypt internally on some servers. Before I start, let me just state that the DNS option is not available in my case, as I do not have permission/access to make any changes myself, let alone through the certbot.
I am running a web server behind a firewall, and need to know what I need to request to allow outbound traffic to LE to initiate the validation/cert process, as well as final retrieval. Inbound is not the issue (as long as it can use servers that aren’t geographically blocked, like the middle east or China).
To further clarify, my web server can only make calls to a specified list of servers. This is for security, so if it were ever attacked, it wouldn’t be able to reach back out and “phone home” or anything.
They are open to paying for a cheap SSL cert and keeping it updated, but if I can get LE instead, I’d prefer that. Makes less to think about keeping updated long term.
If this can’t be done, then I will let them know it will need a paid cert. I understand LE’s anonymity of the servers for security, but if the script has to know where to initiate to, I don’t see this being a problem to find and whitelist.
What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.
And there is a plan:
The feature we’re most excited about is multi-perspective validation.
So the validation may use different ip addresses in different countries.
You must not have read this all the way. I am not looking for an inbound whitelist of servers validating. I am looking for a list of IPs/domains that the certbot calls out to when it wants to begin the validation request. My problem is outbound from my server, not inbound.
certbot can call whatever acme server with --server option, so not sure?
try whitelisting acme-v02.api.letsencrypt.org (defalt) first? and it it doesn’t work *.api.letsencrypt.org?
if you use DNS challenge it will need to talk to dns api endpoint too.
@orangepizza@JuergenAuer
I spoke with my coworker on our networking side, and he said he can whitelist access based on domains or IPs. I would obviously have to go with domain entries for this. I just need to know what all domains are needed at this point.