I am looking to set up LetsEncrypt internally on some servers. Before I start, let me just state that the DNS option is not available in my case, as I do not have permission/access to make any changes myself, let alone through the certbot.
I am running a web server behind a firewall, and need to know what I need to request to allow outbound traffic to LE to initiate the validation/cert process, as well as final retrieval. Inbound is not the issue (as long as it can use servers that aren’t geographically blocked, like the middle east or China).
To further clarify, my web server can only make calls to a specified list of servers. This is for security, so if it were ever attacked, it wouldn’t be able to reach back out and “phone home” or anything.
They are open to paying for a cheap SSL cert and keeping it updated, but if I can get LE instead, I’d prefer that. Makes less to think about keeping updated long term.
If this can’t be done, then I will let them know it will need a paid cert. I understand LE’s anonymity of the servers for security, but if the script has to know where to initiate to, I don’t see this being a problem to find and whitelist.