LE on Amazon EC2: What CIDR addresses do I whitelist?


#1

I’m trying to get LE to work with my instance on Amazon EC2. My instance has a “Security Group” set on it, so that it blocks all inbound traffic to the instance’s public IP by default.

Is there a specific range of CIDR addresses (IP address with subnet shorthand) that LE uses, and what ports I should allow traffic to?

From searching I saw someone suggest to just allow “All” traffic to port 443, but I don’t want to expose me HTTPS page to the world.


#2

Let’s Encrypt doesn’t publish a set of IP addresses (or ranges) from which validation is performed. It’s not guaranteed to stay the same and there’s no guarantee that the IP is predictable at all.

If you want to validate a domain while keeping your ports closed, you can use DNS-based validation (dns-01). This is currently not supported by the reference client, but you can use one of the bash clients or lego.


#3

If I were to expose my EC2 ports temporarily, is 443 the only port I’d have to allow, or are there others that might be used?


#4

It’s either port 80 or 443, depending on the challenge type. http-01 (webroot, manual) uses 80, tls-sni-01 (apache, standalone) uses 443.


#5

Oh, thank you. Well, I just opened ports 80 and 443 to the world for a few seconds, and the cert wizard I’m using still fails, so I guess it didn’t have anything to do with whitelisting IPs/ports.

I’m using a new LetsEncrypt GUI certificate manager that was just added to the “FreePBX” phone server software in the past few days. Of course it’s not within this forum’s scope to guess what’s up with another company’s implementation, but for what it’s worth, if you want me to pass along any hints to the developers at FreePBX, this is the error I’m getting with/without both ports opened up:


#6

Does that URL work for you from outside your VPC (while port 80 is open)? They seem to be using http-01, which is pretty straight-forward: The CA server sends a HTTP request to a specific URL (the one you’re seeing) and expects to get a certain response.


#7

Whups, I’m a dummy, I got it working now thanks to you.

This is the second time I forgot that when I click the dropdown on Amazon EC2 to “Allow HTTP on port 80” and “Allow HTTPS on port 443”, is it whitelisting only HTTP and HTTPS traffic on those ports, not other traffic on those ports.

I just adjusted it to allow all TCP traffic on ports 80 and 443, as opposed to HTTP/S specifically, and the certificate thing instantly started working.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.