Hi,
We are trying to configure our firewall for requesting certificates from Let's Encrypt addresses. Is there a list of addresses that we can allow in our policy so that we don't need to open ports to any?
Any direction would be appreciated.
Thanks
Harris
If you're talking about outgoing connections to Let's Encrypt's API, you're probably best off allowing the name rather than any list of IPs, as their CDN may change them over time.
If you're talking about incoming connections from Let's Encrypt to validate that you control your requested domain names, then they intentionally check from many places around the world, which can regularly change, so that they can validate that you actually control the name as seen throughout the entire Internet. You may want to refer to this FAQ for more details:
Hello @hschroff, welcome to the Let's Encrypt community. 
What IP addresses does Let’s Encrypt use to validate my web server?
Let’s Encrypt does not publish a list of IP addresses we use to validate,
and these IP addresses may change at any time.
Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt
You can also change to using the DNS-01 challenge of the Challenge Types - Let's Encrypt and then only the DNS Name Servers' firewall are a potential issue (but commonly not an issue).