Is there a list of primary and secondary LE verification servers?
I only found on MicroTik forums: outbound1d.letsencrypt.org and outbound1c.letsencrypt.org.
I'm getting During secondary validation: DNS problem error.
Damn. I'm trying to manage firewall policy for LE but apparently EC2 servers switch frequently and I can't get a wildcard or something for that.
Not really relevant for the dns-01 challenge Rudy 
But in essence I agree: keep port 53 open, UDP as well as TCP!
2 Likes
I don't see where they are doing DNS-01 authentication.
But they don't say HTTP-01 authentication either...
So... we are both guessing [in opposite directions - LOL]
2 Likes
Hm, I assumed "DNS problem error" related to the dns-01 challenge.
But still, a DNS error isn't associated with a blocked port 80. 
2 Likes
True, but why are they trying to "manage firewall policy for LE"?
Very vague information and easily taken out of context...
2 Likes
Beats me, perhaps for their DNS servers?
2 Likes
Why would DNS servers block anyone from DNS?
I'm leaning towards HTTP and they block that incorrectly.
2 Likes
How would that explain the cited error?
2 Likes
It wouldn't.
It only explains my understanding of their attempt to overcome their errors.
I didn't say it was the (right) solution, nor any solution at all.
It merely clears the way for them to move on to the next possible solution.
"I opened port 80 and I'm stilling getting this error: ..."
Now we can help!
2 Likes
I have 80, 443, 53 TCP/UDP open but I observed thousands of bots hitting port 53. That's why I wanted to set the actual source that can communicate on that port. I see that validation comes from random amazonaws.com servers. I can't really do wildcard, at least it doesn't work (amazonaws.com).
Please explain what you mean by that.
Looking for what?
2 Likes
I tried simple *.amazonaws.com (or just amazonaws.com) but it doesn't work.
I was looking for suspicious traffic. I read about many DNS attacks and our sysadmin wants acme-dns server access tighten up.
No.
What IP addresses does Let’s Encrypt use to validate my web server?
Let’s Encrypt does not publish a list of IP addresses we use to validate,
and these IP addresses may change at any time.
Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt
1 Like
What firewall are you using?
Also what ever firewall you are using you might get better support for this issue through their forums.
2 Likes
Fortigate. It's not firewall's problem but random servers that are used for validation.
No, this is a firewall issue as it the firewall cannot handle the design of Let's Encrypt random servers that are used for validation. Not a Let's Encrypts issue. Sorry! 
1 Like
If you are going to use HTTP-01 authentication, you must leave port 80 open to the Internet.
Then the acme-dns server should be turned off when not needed.
3 Likes