During running the renew command, the host servers need to open 80 ports for all, but due to some compliance issue, I cannot open the port for all. Hence, is there any IP/IPs list that can be added in the ACL list for allowing 80 ports or has any API support to renew certificates automatically without opening any port for all?
Welcome to the Let's Encrypt Community!
Let's Encrypt deliberately does not publish a list of IP addresses since they are subject to change at any time. You could use a DNS-01 challenge instead of am HTTP-01 challenge.
You may also find this post helpful, describing how Let's Encrypt validates that you control your domain name from many places around the world.
If you can't open your port 80 to everyone (even in a scripted way only while requesting validation), but you can have your authoritative DNS server open to everyone, then the DNS-01 challenge is probably the way to go.
Just a note on the above:
If you use DNS-01
, you will likely want/need to delegate the _acme-challenge
records to a second DNS system as a security measure. Some people will self-host acme-dns for this, others will use a cloud hosted commercial DNS provider. In this design, you manually CNAME your _acme-challenge
records onto a second DNS host during setup, and configure your systems to automatically edit the second DNS host's records. This isolates the utility of the DNS API credentials to only being able to affect DNS entries that are limited to ACME authorization.
DNS challenge should work fine. I have setup on AWS, when instance has appropriate IAM role and can do renewal without any issue.
For more detail you can check here: