Let's Encrypt and Firewall rules

I have not done any tests to confirm this, but here’s what I think ought to be the the minimum set of firewall rules you need for Let’s Encrypt:

  • For all challenge types: Allow outgoing traffic to acme-v01.api.letsencrypt.org on port 443 (HTTPS).
  • For HTTP-01 (for example via certbot's webroot plugin): Allow incoming traffic on port 80 (HTTP) from anywhere.
  • For TLS-SNI-01 (for example via certbot's standalone or apache plugin - this is probably what you used, if I’m interpreting “automated install” correctly): Allow incoming traffic on port 443 (HTTPS) from anywhere.

In case you’re wondering why it’s “anywhere” for HTTP-01 and TLS-SNI-01, and not a set of specific IPs: Let’s Encrypt plans to perform validation requests from a number of (possibly) unpredictable IP addresses in the future, in order to make spoofing validation requests harder. If you rely on a specific IP address being used, your deployment will break without any warning at some point.

If you’re looking for a challenge type that does not require allowing any incoming traffic, take a look at DNS-01. With that challenge type, domain ownership is demonstrated via a TXT record you create for your domain. Note that this is currently not supported by certbot, you’d have to use one of the alternative clients (take a look at lego or any of the bash clients).

3 Likes