that would be really great.
Use case:
- final server will be opened only to selected individuals hence all locked by default
- let’s encrpyt is required to validate ssl certificate, initially no other connection is allowed to server
- let’s encrypt whitelist address range is required to only open ports that validation callback will be connecting from. this is done on AWS so has to be pre-opened before letsencrypt tool is launched.
- would be nice if there were a public endpoint available to call that returns CIDR ranges. simple json array would suffice.
- if changed any process would pick them up and reconfigure firewalls. if just based on our discovery it may break since not dynamic.
As @schoen mentioned, the IP addresses for validation requests are unpredictable by design in order to make it harder for an attacker to spoof the response, for example by hijacking specific routes, which becomes significantly harder once those routes are unpredictable. As an example, in the future, validation requests might be sent through Tor or a set of geographically diverse proxy servers. Offering any sort of API that returns those IP addresses would make this ineffective.
DNS-based validation via dns-01 would be a better fit for non-public/restricted networks, and can be automated fairly easily with many popular DNS providers (like Route 53 or Cloudflare).