Is there a list of primary and secondary LE verification servers?
I only found on MicroTik forums: outbound1d.letsencrypt.org and outbound1c.letsencrypt.org.
I'm getting During secondary validation: DNS problem error.
No, there's not. On purpose. Please see FAQ - Let's Encrypt
Damn. I'm trying to manage firewall policy for LE but apparently EC2 servers switch frequently and I can't get a wildcard or something for that.
Not really relevant for the dns-01
challenge Rudy
But in essence I agree: keep port 53 open, UDP as well as TCP!
I don't see where they are doing DNS-01
authentication.
But they don't say HTTP-01
authentication either...
So... we are both guessing [in opposite directions - LOL]
Hm, I assumed "DNS problem error" related to the dns-01
challenge.
But still, a DNS error isn't associated with a blocked port 80.
True, but why are they trying to "manage firewall policy for LE"?
Very vague information and easily taken out of context...
Beats me, perhaps for their DNS servers?
Why would DNS servers block anyone from DNS?
I'm leaning towards HTTP and they block that incorrectly.
How would that explain the cited error?
It wouldn't.
It only explains my understanding of their attempt to overcome their errors.
I didn't say it was the (right) solution, nor any solution at all.
It merely clears the way for them to move on to the next possible solution.
"I opened port 80 and I'm stilling getting this error: ..."
Now we can help!
I have 80, 443, 53 TCP/UDP open but I observed thousands of bots hitting port 53. That's why I wanted to set the actual source that can communicate on that port. I see that validation comes from random amazonaws.com servers. I can't really do wildcard, at least it doesn't work (amazonaws.com).
Please explain what you mean by that.
Looking for what?
I tried simple *.amazonaws.com (or just amazonaws.com) but it doesn't work.
I was looking for suspicious traffic. I read about many DNS attacks and our sysadmin wants acme-dns server access tighten up.
No.
What IP addresses does Let’s Encrypt use to validate my web server?
Let’s Encrypt does not publish a list of IP addresses we use to validate,
and these IP addresses may change at any time.
Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt
What firewall are you using?
Also what ever firewall you are using you might get better support for this issue through their forums.
Fortigate. It's not firewall's problem but random servers that are used for validation.
No, this is a firewall issue as it the firewall cannot handle the design of Let's Encrypt random servers that are used for validation. Not a Let's Encrypts issue. Sorry!
If you are going to use HTTP-01
authentication, you must leave port 80 open to the Internet.
Then the acme-dns
server should be turned off when not needed.