Our firewall is set to deny any outbound traffic originating from our servers. We need to explictly list the IPs and ports, that we need to communicate with.
$ host acme-v01.api.letsencrypt.org
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 104.108.34.195
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:64:591::3d5
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:64:595::3d5
Are those IP addresses „guaranteed“ to stay stable?
For outbound traffic to acme-v01.api.letsencrypt.org (i,e the traffic that certbot, or whichever client you use) then the IP address will be limited within a subset ( no guarantee what happens in 5 years time of course). As far as I’m aware, this is a range of IP addresses though - not a single IP.
Checking from a few places worldwide …
host acme-v01.api.letsencrypt.org
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 96.7.204.37
e981.dscb.akamaiedge.net has IPv6 address 2600:140a:0:189::3d5
e981.dscb.akamaiedge.net has IPv6 address 2600:140a:0:187::3d5
host acme-v01.api.letsencrypt.org
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 23.214.61.183
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:b7:184::3d5
host acme-v01.api.letsencrypt.org
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 23.202.171.11
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:8e:2a0::3d5
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:8e:298::3d5
The inbound validation traffic will be from almost any random IP.
The IP address is not static, no. Let’s Encrypt uses Akamai’s CDN network, and while I’m not familiar with the specifics on how that CDN works, they commonly don’t have static IPs. Often, they provide different IP addresses depending on your location (or the location of your DNS server), the best/shortest route to the destination, saturation of these routes, any outages, etc. It might be possible to limit the IP addresses to a couple of ranges if you’re doing this all from one location, but that’d have to be a trial-and-error approach, there’s no published list or any guarantee that things won’t change.
A better approach for this kind of thing might be a HTTP(S) Proxy. You should be able to do this with the HTTP_PROXY (or HTTPS_PROXY) environment variable. As far as I’m aware, certbot makes use of this environment variable if it has been set.
Thanks. That's what I'm probably going to do. Our proxy team wants to know, to which hosts we need to connect to. Right now, acme-v01.api.letsencrypt.org is the only one, correct?
