HTTPS Authentication behind a firewall

Hello,

I am looking to set up LetsEncrypt internally on some servers. Before I start, let me just state that the DNS option is not available in my case, as I do not have permission/access to make any changes myself, let alone through the certbot.

I am running a web server behind a firewall, and need to know what I need to request to allow outbound traffic to LE to initiate the validation/cert process, as well as final retrieval. Inbound is not the issue (as long as it can use servers that aren’t geographically blocked, like the middle east or China).

To further clarify, my web server can only make calls to a specified list of servers. This is for security, so if it were ever attacked, it wouldn’t be able to reach back out and “phone home” or anything.

They are open to paying for a cheap SSL cert and keeping it updated, but if I can get LE instead, I’d prefer that. Makes less to think about keeping updated long term.

If this can’t be done, then I will let them know it will need a paid cert. I understand LE’s anonymity of the servers for security, but if the script has to know where to initiate to, I don’t see this being a problem to find and whitelist.

Hi @Dubz

there is no white list. Please read

What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

And there is a plan:

The feature we’re most excited about is multi-perspective validation.

So the validation may use different ip addresses in different countries.

You must not have read this all the way. I am not looking for an inbound whitelist of servers validating. I am looking for a list of IPs/domains that the certbot calls out to when it wants to begin the validation request. My problem is outbound from my server, not inbound.

certbot can call whatever acme server with --server option, so not sure?
try whitelisting acme-v02.api.letsencrypt.org (defalt) first? and it it doesn’t work *.api.letsencrypt.org?
if you use DNS challenge it will need to talk to dns api endpoint too.

2 Likes

That’s the same problem. As @orangepizza wrote, the domain name acme-v02.api.letsencrypt.org is fixed.

But there is a pool of ip addresses used, because it’s Akami:

nslookup acme-v02.api.letsencrypt.org.

Name:    e14990.dscx.akamaiedge.net
Addresses:  2a02:26f0:fc:290::3a8e
          2a02:26f0:fc:28b::3a8e
          104.87.230.129
Aliases:  acme-v02.api.letsencrypt.org
          api.letsencrypt.org-ng.edgekey.net

If you use such a command, you may see other ip addresses. I had 24.* etc.

So you can allow one of these ip addresses -> but 5 minutes later it may not work.

Or you can use a fixed ip address (via hosts file), same problem: A few days later that may not longer work.

1 Like

@orangepizza @JuergenAuer
I spoke with my coworker on our networking side, and he said he can whitelist access based on domains or IPs. I would obviously have to go with domain entries for this. I just need to know what all domains are needed at this point.

then acme-v02.api.letsencrypt.org (for production)
and acme-staging-v02.api.letsencrypt.org (for -dry-run testing) will do that.
if no acme-v03 happens.

2 Likes

@orangepizza
Would it be best to just wildcard *.api.letsencrypt.org if possible? For future proofing things as much as I can.

yes, that will be more future proof. as endpoint’s cert has a bunch of subdomains of api.letsencrypt.org on it.

DNS : acme-staging-v02.api.letsencrypt.org
DNS : acme-staging.api.letsencrypt.org
DNS : acme-v01-1.api.letsencrypt.org
DNS : acme-v01-2.api.letsencrypt.org
DNS : acme-v01-3.api.letsencrypt.org
DNS : acme-v01-4.api.letsencrypt.org
DNS : acme-v01-5.api.letsencrypt.org
DNS : acme-v01.api.letsencrypt.org
DNS : acme-v02-1.api.letsencrypt.org
DNS : acme-v02-2.api.letsencrypt.org
DNS : acme-v02-3.api.letsencrypt.org
DNS : acme-v02-4.api.letsencrypt.org
DNS : acme-v02-5.api.letsencrypt.org
DNS : acme-v02.api.letsencrypt.org

2 Likes

@orangepizza
I will talk it over with them and see what he thinks as well.
Thank you!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.