Let's Encrypt : What is the reasoning for why you won't publish the IP addresses of the servers your using for Domain Validation checks? During a nightly AutoSSL check with a server that has 500 or more sites, the script seems to be using too many connections. Then the firewall keeps blocking these validation IP's for too many connections. Then no certs renew. It's ridiculously time consuming trying to figure out which of the hundreds of IP addresses that are blocked every day belong to Let's Encrypt. Then when we finally figure it out, it seems the next month Let's Encrypt is using a different IP.
Why can't you just post the IP's in use so we can white list them and not have to play this game every month?
This is just my own, personal perspective, not any kind of official statement.
We auto-scale our resources up and down, in order to meet peaks and valleys of demand. This happens ~daily. Many of those resources have semi-dynamic IP addresses that can't easily be allocated from consistent pools.
We might need to add or change cloud providers, data centres, or upstream ISPs on short notice or no notice. The more open our options are, the better. Working in the WebPKI already comes with many challenging constraints, so we'd prefer to avoid any extras.
That brings us to Hyrum's Law. If we were to publish even a "best effort" list of IPs, people would hard-code them, and then complain bitterly when (not if) we have to change them.
Ideally, /.well-known/acme-challenge paths should be served by a very efficient and very safe endpoint (e.g. static file service only) so that they can be exempted from most rate limit and WAF rules. If that's not feasible, then please consider DNS-01 challenges.