Is there a FQDN we can apply to geo-restricted port fowards for the cert renewals?

Having issues securing ports due to letsencrypt renewal requirements. I need to geo-restrict port forwards, which means the renewals will not process. I've seen where the site says there isn't an IP list maintained, but Is there a FQDN that we can use to allow renewals while still securing ports?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: remote.true-builders.com, and all others we are usings.

I ran this command: N/A

It produced this output: N/A

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): N/A

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

No, Let's Encrypt auth servers try from various points around the world. There would not be one FQDN for each of those possible IP addresses. They also only make outbound requests so there is no need for their IP to be listed in public DNS anyway.

If HTTP Challenge is not viable for you then a DNS Challenge or TLS-ALPN could be used.

A good background on LE validation is: Multi-Perspective Validation & Geoblocking FAQ

Do you really though? If you leave port 80 unrestricted and process any ACME challenge while redirecting any other traffic to port 443, you can place your geo-blocking rules on port 443 and accomplish both of your goals.

Thanks, we will test this out.

In some cases we don't have a lot of control over the web server backend on the devices we are forwarding, but this may be a good option for the ones that we can control. Thanks.