Let's Encrypt Outbound Traffic

I am using Let's Encrypt HTTP-01 challenge which is working fine. I haven't moved into production yet with it. We have geoblocks for inbound and outbound traffic to specific countries. However all my services are https public facing and we have http redirects that the challenge is setup on, which I am able to use above the geoblocks in place. My question is, am I going to run into trouble with the outbound traffic?

I am aware of the FAQ that states they do not provide a list of IPs or domains to whitelist. I am also aware for validation multipoint is used. My acme agent points to:

{
"0ipZyjlUikk": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

Which all is permitted. I am curious if anyone knows if there are more domain possibilities, and/or if it's possible communication happens outside of the USA on outbound traffic?

Hello @qombi, welcome to the Let's Encrypt community. :slightly_smiling_face:

Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

And see Let's Encrypt is adding two new remote perspectives for domain validation

2 Likes

Also moved from Issuance to Help.

1 Like

How do you mean? For the ACME server? Currently only acme-v02.api.letsencrypt.org is being used. No guarantee for the future though, but it probably would use a similar scheme.

I don't think the ACME server endpoint would change to a location outside the US, but I'm not a member of the LE team, so don't hold me to this statement :slight_smile:

4 Likes

Also I believe not all of the remote validators are in the USA.

2 Likes

api address is cloudflare anycasted IP currently, so it's unlikely hit by geoblock:

but for inbound(toward your server) there will be vantage points from multiple continents will be required in future (from 2026 iirc?) so you'll need to prepare for it

5 Likes

I don't think OP is interested in the validation servers.

4 Likes

OK. :slight_smile:

2 Likes

We may change our API's IP address (outbound from your perspective) in the future. However, a rough current state of the world is:

All our API traffic is to acme-v02.api.letsencrypt.org. This is unlikely to change short to medium term at least.

Some ACME clients also check a certificate's OCSP and/or CRLs for validity. Those checks happen to various domains under o.lencr.org and c.lencr.org. Today that's r3.o.lencr.org, e1.o.lencr.org, r3.c.lencr.org, e1.c.lencr.org. We will soon have additional hostnames for new intermediates that we have just created, but OCSP and CRL hostnames are not yet configured.

9 Likes

Thank you everyone for the responses, very kind to spare the time to help answer my questions!

4 Likes

Will the OCSP hostnames for R10-14 be http://r1{0,1,2,3,4}.o.lencr.org just like it is http://r3.o.lencr.org for R3. Asking for Firewall-Whitelisting...

Yes, we will follow the same pattern. If you’re changing things, you probably want to add E5-E9 too, if or when you get certs issued from an ecdsa intermediate.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.