Let'sencrypt validation

I use let's encrypt SSL with our nextcloud platform.
I restrict incoming traffic just from our local country.

I want to ask if incoming traffics should always opened on port 80 and 443 to validate ssl.
So we have to keep it opened is it possible to have the list of IPs that should be allowed for ssl validation.

Beacause actually i can't allow all incoming sources.

Thank you in advance.

1 Like

Yes. Let's Encrypt can validate from anywhere, and it's often multiple validation attempts from different locations for any given cert. If you're unwilling or unable to open port 80 to the entire Internet, consider using DNS validation instead for your cert.


Most Acme clients have hooks that allow you to control the firewall and only open your server to the rest of the world during a validation, if that's what you're looking for.

Validation IPs change all the time, but currently they're on aws. It makes no sense to whitelist all aws, that's a massive number of hosts and you have no guarantee future validation hosts will be there.


No, please see the FAQ.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.