I know this issue has been touched on before in the past by other users and I am aware of your current stance on the issue, but it’s actually rather important issues and it does warrant some additional considerations.
This would be a published list of IP address that Let’s Encrypt uses to do validation checks.
I find myself in need of this very list. I have a sensitive system that’s a legacy system that I’m not permitted to make any changes to. Due to the nature of the services performed on this system, access to this system has been totally firewalled off to only specified static IP’s. That is until I have to manually open up port 80 to the entire world every couple of months in order to let Let’s Encrypt do its renewal and then close the system off once again.
It wouldn’t be so bad if I could simply script the firewall rules on the system itself, but as I stated, I’m not permitted to make any changes to it.
However, if Let’sEncrypt would pick a set of IP addresses, stick with them, and publish said list, users could easily add firewall exceptions that would allow for automated renewals without having to manually go in and fiddle with the firewall and run manual renewals every couple of months.
I don’t want you to feel as if I’m unappreciative of the service you’re performing, I think its a wonderful contribution to the community and have personally made donations in the past as a thank you for the time and effort you’ve put into giving us all this tool to use, but I really feel that whatever reason it is that you have that’s preventing you from doing this, is greatly outweighed by the number of people who would be greatly benefited from it. The entire point of the system is to help bring security and encrypt to the masses, but then requiring unsecured ports be left open and exposed to the entire world in order for it to function really seems like it’s defeating the purpose. Users shouldn’t have to open up security holes in order to secure their systems.
Just my point of view and a feature I’d really make use of.
Feel free to flame at will.
Disclaimer first: all contents are personal, I'm not affiliated
with Let's Encrypt or ISRG.
I think you could always attempt to get the certificate via DNS validation, which definitely don't need HTTP port 80 access.
I don't think port 80 will be a security hole if you already have other ports open (if you don't have other ports, probably DNS based will be better in your use case if allowed). As many people suggested before, port 80 is a common port and in most cases only serve as a redirection port nowadays.
I think what Let's Encrypt want for not disclosing a list of IP and multi-va are all for avoid much worse security vulnerabilities (spoofing, for example), and Let's Encrypt provides at least another way for you to complete these challenges (through DNS TXT records, which can be used with acme-dns or something else if your company don't allow you to modify current NS/API). I know these can be hard for large corporations and some sensitive business / government, but HTTP based validation isn't your only choice.
Plenty of users make use of the DNS challenge to secure hosts that are completely isolated from the public internet. Even if your DNS host does not provide an API, something like acme-dns or a simple CNAME has the potential to provide a solution.
Let’s Encrypt is definitely asking users to do more work/be more creative in these kinds of situations, but an IP whitelist is something that would basically tie their hands for the rest of existence.
I will have to look into this again, but I believe that the DNS validation is a feature that was added in a much later revision of certbot than I am currently able to utilize on this system.
A common practice is to put a reverse proxy in front of a legacy system, to ensure that the externally-facing webserver does not have any HTTP vulnerabilities and uses a modern TLS configuration.
It would also mean that you can run a modern ACME client.
To be honest, if you are using certbot you are being somewhat limited. It’s indeed the suggested client but not the only client.
certbot has DNS challenge for a long time, but since most of times DNS API might not be up to date, you might need to write your own validation and cleanup scripts for your DNS API.
There are definitely more clients (might even more popular than certbot for some DNS providers).
I’m curious, but why are you restricted to a certbot that’s at least two years old (if you can’t use DNS challenge), but still hoping for LE to update in a way that’s very restrictive for the future maintainability of the service?
That is a very good suggestion. I don’t trust this system at all. It was designed and written many… many years ago on an OS that’s been dead and EOL for at least a decade. I honestly wish I could just pitch it and be done with it.
If it’s that bad, I’d just map the IPs each daily renew attempt and maybe drop off IPs that haven’t shown up in 60 days or so. If you lookup right before a request, chances are very good it’ll be the same IP each time, and eventually within in the 90 days it’ll definitely be.
The issue is, it won’t. The daily renew attempt connect to Let’s Encrypt API server (which I think it’s behind Akamai or Cloudflare or some other CDN).
The validation servers are another pool of servers that probably aren’t using the same IP for two validations (just like a random lottery)
If you have this old system, do not try to put anything onto it. Not even an ACME client. Put a recent/decent system next to it, do all the stuff needed, and just transfer the result to the old system.
Target the phase-out of the old system: remove everything you can remove. Leave only the core stuff which forces the system alive.
Let’s Encrypt unfortunately can’t accomodate every use case.
You’re not allowed to make any changes to the system, but you are allowed to install ACME clients and TLS certificates?
This system sounds like something which should never be allowed to contact the internet directly, but always through a dedicated server with firewalls and such. In that case, you can always terminate the TLS connection on that firewall and let that firewall deal with the renewal of the certificate. (For example, with Hitch.) No need to open your sensitive system to ACME challenges that way, as it will be dealt with one step up the ladder. Assuming the connection between the sensitive system and firewall is physically secure (i.e., no-one can do a MitM attack at the UTP level) and you don’t require end-2-end encryption directly to the sensitive service.
In addition to the slew of other suggestions in this thread, OP might also consider that the safety of this legacy system might not make it the best fit for a Let’s Encrypt certificate at all. Pay for an annual cert from a traditional CA and be done with it.
You could run a gateway server or firewall rule in-front-of this system, or a redirect. The system itself does not need port-80 access, you just need port-80 access running on the ip the domain names(s) resolve to. The entire /.well-known directory could be served on the gateway, or proxied/redirected to another machine. Then you can just copy/install the certificates OR have that gateway system function use the certificate itself.
DNS authorization is really your best option:
install acme-dns on a public internet machine
configure dns records to use that as your acme challenge mechanism
run certbot on your own machine to provision the certificates. it will coordinate the acme-dns and letsencrypt APIs
copy the certificates from your machine onto the legacy server.
once you have the dns stuff configured, it is pretty stable. you could write a small script to run on your machine that does renewals for you, then restarts apache or whatever on the legacy machine. this is essentially what i do with our internal servers.
Could you please explain why a Let's Encrypt certificate isn't the best fit? Now it sounds like payed certificates themselves have an extra security benefit above Let's Encrypt certificates. Which of course is not the case.
Sorry about that. I should have been more explicit. If OP's organization has decided this system is so fragile that they must disallow admins from making "any changes to it", an ACME client should not even be added to begin with. A paid certificate where all of the validation can happen outside the fragile server is the least intrusive to its config and they would only have to touch it once a year.
(We'll conveniently ignore the fact that installing a new certificate is a change to the system regardless of whether a human or an ACME client does it)