Outbound traffic - stability of IP address of acme-v01.api.letsencrypt.org


#1

Hello

Our firewall is set to deny any outbound traffic originating from our servers. We need to explictly list the IPs and ports, that we need to communicate with.

For the HTTP-01 and TLS-SNI-01 challenges, I found a post by PFG in the thread „Let’s Encrypt and Firewall rules”, which states:

For all challenge types: Allow outgoing traffic to acme-v01.api.letsencrypt.org on port 443 (HTTPS).

Right now, DNS (host) returns this:

$ host acme-v01.api.letsencrypt.org
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 104.108.34.195
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:64:591::3d5
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:64:595::3d5

Are those IP addresses „guaranteed“ to stay stable?

I’ve read „IP addresses of outbound validators stability over time”, which states that the IPs of the servers LE uses for inbound traffic will change and that ports 443 & 80 should be open to the world.

But I’m asking about acme-v01.api.letsencrypt.orghere.

Thanks.


#2

For outbound traffic to acme-v01.api.letsencrypt.org (i,e the traffic that certbot, or whichever client you use) then the IP address will be limited within a subset ( no guarantee what happens in 5 years time of course). As far as I’m aware, this is a range of IP addresses though - not a single IP.

Checking from a few places worldwide …

host acme-v01.api.letsencrypt.org
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 96.7.204.37
e981.dscb.akamaiedge.net has IPv6 address 2600:140a:0:189::3d5
e981.dscb.akamaiedge.net has IPv6 address 2600:140a:0:187::3d5
host acme-v01.api.letsencrypt.org 
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 23.214.61.183
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:b7:184::3d5
host acme-v01.api.letsencrypt.org
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 23.202.171.11
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:8e:2a0::3d5
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:8e:298::3d5

The inbound validation traffic will be from almost any random IP.


#3

Thanks.

Well, so we already found 4 IPs for acme-v01.api.letsencrypt.org:

  1. 104.108.34.195
  2. 96.7.204.37
  3. 23.214.61.183
  4. 23.202.171.11

And possibly quite a few others, I fear.

Is there a list of IPs available somewhere?


#4

Not that I’m aware of.


#5

Too bad :frowning:

Hm. I now read e.g. [SOLVED] Proxy settings in order to use letsencrypt-auto behind a proxy. So, maybe we’ll have to use a proxy .

At the moment, acme-v01.api.letsencrypt.org is really the only host that the certbot client connects to, right?


#6

The IP address is not static, no. Let’s Encrypt uses Akamai’s CDN network, and while I’m not familiar with the specifics on how that CDN works, they commonly don’t have static IPs. Often, they provide different IP addresses depending on your location (or the location of your DNS server), the best/shortest route to the destination, saturation of these routes, any outages, etc. It might be possible to limit the IP addresses to a couple of ranges if you’re doing this all from one location, but that’d have to be a trial-and-error approach, there’s no published list or any guarantee that things won’t change.

A better approach for this kind of thing might be a HTTP(S) Proxy. You should be able to do this with the HTTP_PROXY (or HTTPS_PROXY) environment variable. As far as I’m aware, certbot makes use of this environment variable if it has been set.


Outbound traffic - stability of IP address of acme-v01.api.letsencrypt.org (alternative answer)
#7

Thanks. That’s what I’m probably going to do. Our proxy team wants to know, to which hosts we need to connect to. Right now, acme-v01.api.letsencrypt.org is the only one, correct?


#8

Yes, that hostname should be sufficient.


#9

Excellent. Thanks a lot :+1:


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.