Let's Encrypt CIDRs

Hi

We need to implement certbot but accepting traffic only from public internet from Let's encrypt network
I made some certificates to start capturing how public ip would be, and verify if repeating subnets coming from but the CIDRS where belongs are so bigger doing whois using subnets like /9, /10 and /11.

Exist a list public to explain like other services to know what let's encrypt public network use to set from the client side this kind of traffic ?

this is some example i got when i made certificates.

if someone have a list more more accurate would be appreciated

thanks in advance

IP Address 3.138.245.232
Resolve Host ec2-3-138-245-232.us-east-2.compute.amazonaws.com
NetRange: 3.128.0.0 - 3.255.255.255
CIDR: 3.128.0.0/9

IP Address 23.178.112.208
Resolve Host outbound2i.letsencrypt.org
NetRange: 23.178.112.0 - 23.178.112.255
CIDR: 23.178.112.0/24

IP Address 34.220.184.113
Resolve Host ec2-34-220-184-113.us-west-2.compute.amazonaws.com
NetRange: 34.192.0.0 - 34.255.255.255
CIDR: 34.192.0.0/10

Resolve Host ec2-54-71-105-36.us-west-2.compute.amazonaws.com
IP Address 54.71.105.36
NetRange: 54.64.0.0 - 54.95.255.255
CIDR: 54.64.0.0/11

Resolve Host ec2-3-138-245-232.us-east-2.compute.amazonaws.com
IP Address 3.138.245.232
NetRange: 3.128.0.0 - 3.255.255.255
CIDR: 3.128.0.0/9

Resolve Host outbound2d.letsencrypt.org
IP Address 23.178.112.203
NetRange: 23.178.112.0 - 23.178.112.255
CIDR: 23.178.112.0/24

Resolve Host outbound1c.letsencrypt.org
IP Address 23.178.112.102
NetRange: 23.178.112.0 - 23.178.112.255
CIDR: 23.178.112.0/24

Resolve Host ec2-34-220-184-113.us-west-2.compute.amazonaws.com
IP Address 34.220.184.113
NetRange: 34.192.0.0 - 34.255.255.255
CIDR: 34.192.0.0/10

No. Let's Encrypt staff decided not to publish this information:

You have to allow traffic from the entire internet to your /.well-known/acme-challenge endpoint in case of HTTP-01 method.

If you feel that this is unacceptable you can switch to DNS-01 method if you don't use it already.

In order to prove that you own a name as seen from the whole Internet, Let's Encrypt checks from multiple locations and regularly uses different IPs. You need to have something open to the entire Internet in order to get a certificate. (If you want a CIDR, it's 0.0.0.0/0 & ::/0 .)

Options people who need to have more-locked-down networks sometimes use include:

1. Scripting their firewall to open up only while getting a certificate. Certbot and many other clients have pre-hooks and post-hooks for this purpose.
2. Having their firewall be smart enough to always allow through requests for .well-known/acme-challenge even if it's blocking requests for other paths by IP.
3. Using DNS-01, since while this still requires your DNS servers to be accessible from the whole world, for some reason many organizations are fine with that even if they aren't okay with port 80 being accessible from the whole world.

Oh Peter I like that!

I pretty sure LE do have some ipv6 ranges as they check ipv6

Sometimes I like to answer the question that was asked, in addition to the question that should have been asked.

Of course they do! That's why you need to allow ::/0. You'd only need to allow 0.0.0.0/0 if you also need to support IPv4 for some reason.

And for those very strange cases where 0.0.0.0/0 is prohibited...
[challenge accepted!]

I go with these [two halves]:
0.0.0.0/1
128.0.0.0/1

Ok I solved.

I believe you can technically shorten both to just /0

Hi, folks,

Just a friendly reminder: spending multiple posts riffing on a quip about someone's question can seem mocking or unfriendly to someone who doesn't spend a lot of time in our community.