Let's Encrypt IP subnet


I’m trying to use dns-01 verification method, but my DNS server is configured to response only for defined IP/subnets.
Please, tell me which subnet(s) is used for dns-01 verification?


Actually, I think they change their IPs every so and as indicated here IP addresses LE is validating from to build firewall rule your website should be open to the whole world.

Edit: Oops, sorry, this information above has nothing to do with DNS validation method.


Your authoritative DNS servers should really respond to all requests for DNS information about your specific domain.


My temporary solution:

  1. Enable query log in DNS server
  2. Request certificate using staging server
  3. Get LE validator IP address from logs
  4. Add LE validator IP to the list of permited IP/subnets


That can work short term, but it potentially won’t work long term

Is there any reason you don’t want the general internet to be able to obtain the IP address of your website ?


Every day you discover use cases more obscure than before. I really like this forum.

What are you actually doing? Are you trying to obtain a public cert for a “local” name?


@umhd: I guarantee this process will break without notice at some future date. I strongly recommend you answer queries from all IP addresses.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.