We use a few Let’s Encrypt certificates (golosnalchik.ru, ag.akmrko.ru and ag.e-dag.ru) and would like to configure our servers to renew certificates automatically.
Due to our corporate data center sequrity policy when opening an outgoing connection, for either port 80 or 443, we need to specify exact server addresses, given either as IP or server names. Could you please clarify what Let’s Encrypt server addresses we need to unblock for an outging connection to be able to access your servers and setup certificate renewal?
What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.
For validation of publicly inaccessible servers, the DNS challenge is the only choice.
For outgoing connections, that IP address also regularly changes due to the CDN they use (Akamai), so you would not be able to pin it in your firewall.
Perhaps you can put the machine that coordinates the certificate issuance and renewal into the network DMZ?
To use Let’s Encrypt, you need to allow outbound port 443 traffic from the machines running your ACME client. We don’t publish the IP ranges for our ACME service, and they will change without notice.
For the “http-01” ACME challenge, you need to allow inbound port 80 traffic. We don’t publish the IP ranges from which we perform validation, and they will change without notice.
New Features
...
The feature we’re most excited about is multi-perspective validation. Currently, when a subscriber requests a certificate, we validate domain control from a single network perspective. This is standard practice for CAs. If an attacker along the network path for the validation check can interfere with traffic they can potentially cause certificates to be issued that should not be issued. We’re most concerned about this happening via BGP hijacking, and since BGP is not going to be secured any time soon, we needed to find another mitigation. The solution we intend to deploy in 2019 is multi-perspective validation, in which we will check from multiple network perspectives (distinct Autonomous Systems).
So Letsencryt want to validate from different ip addresses worldwide.
This is a big step to check if the validation is really correct and not hijacked.
HI and thanks for clarifying things. Regarding your comment:
Does this also mean that although the IPs may change there are some Let's Encrypt domain names assigned for certificate renewal? Or they also may change?
If you can add an HTTP “proxy” into the path, you can secure the inbound connections to only pass access to /.well-known/acme-challenge/ folder or even more securely to simply redirect all HTTP connections to HTTPS.
This way the proxy has no access to any trusted/critical resources and closes that missing gap.