HTTP access is strictly restricted when obtaining a Let's Encrypt certificate. The number of Amazon servers that Let's Encrypt accesses from increases irregularly, which is quite troublesome. Is there any information on the server list?
No there's not and as far as the community know there won't ever be. Let's Encrypt want to be able dynamically expand their network validation servers across any providers from (almost) any country.
You should ideally use a content aware firewall (web application firewall) and allow all http requests to the /.well-known/acme-challenge/ path. That way you can answer HTTP challenges from any CA without allowing general http access.
Alternatively consider DNS validation instead of HTTP validation.
6 Likes
I have removed your huge list of IP addresses. Not that any of them are actually a secret, but I don't want to encourage people to:
a) make such a list themselves or
b) actually use the list you've posted.
As Christopher already mentioned the list is not set in stone and WILL change at random at any time. This is to protect the validation process from BGP hijacking and other such malicious attempts to illegally validate hostnames.
Making such lists will actually prevent users from getting a good experience due to the above. The solution to blocks is NOT making allow lists, but figure out a more stable solution. E.g., allow access to /.well-known/acme-challenge/ from all IP addresses on port 80 as already mentioned.
As such, Let's Encrypt won't make such lists themselves as they do not encourage using such lists to begin with.
6 Likes
6 Likes
Thank you for your advice. I will study DNS validation.
1 Like
Thank you for your advice. I will study DNS validation.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.