Letsencrypt validation subnets

I need to configure Let's Encrypt with automatic certificate renewal, on a firewalled off system, could you please tell me what are all of the ipv4 subnets that the validator uses? [So i can allow all of them in the firewall.]

Basically, i need this: https://www.cloudflare.com/ips/
but for Let's Encrypt.

Thank You.

1 Like

Sorry, but that's not going to happen. Please see the FAQ about this specific question: FAQ - Let's Encrypt

A possible solution to your firewall issue might be to use the dns-01 challenge.


HTTP can be accepted and then just redirected to HTTPS.
In HTTPS you can put up as many firewalls and Geofencing rules as needed.

The HTTP server can even be on a separate system (within your network) OR via a separate web server OR non-existent (always use ACME client in --standalone mode).

The point is there are many clever ways to "protect HTTP" without shutting out 99.99% of the Internet.

1 Like

As others have said, the short answer is & ::/0. :slight_smile:

Let's Encrypt needs to verify that you own the name as seen from everywhere on the Internet. That's the whole reason that they can sign your certificate to certify that your server owns the name, that they've confirmed that the name resolves to the owner of that certificate from everywhere. They check from multiple locations, and can occasionally change where they're checking from, to help ensure that nobody is trying to spoof their connections to servers.

If you're trying to get a certificate for a server that isn't publicly accessible, your only options are:

  1. Use the DNS-01 challenge instead. This only requires your DNS server to be accessible from everywhere, instead of both your DNS and your web server needing to be.
  2. Script your firewall to open up and allow for connections from everywhere during the time that you're renewing, and close your firewall back up afterward.

The key to using Let's Encrypt (or any other CA too, ideally, though other CAs don't always make it easy) is to automate the process so that you don't need to think about it, and usually the first of those options is easier to automate, but I've heard of other people in this forum that do the second. (And for some reason some IT departments are much more comfortable with their DNS servers being publicly accessible than their web servers.)

Some documentation pages that might help:


Leave the HTTP hole open 24/7 and don't serve any HTTP at all. [a hole to nowhere]
Then let the ACME client spin up a temporary HTTP webserver as it needs to validate requests.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.