Our firewall is set to deny any outbound traffic originating from our servers. We need to explictly list the IPs and ports, that we need to communicate with.
For the HTTP-01 and TLS-SNI-01 challenges, I found a post by PFG in the thread „Let’s Encrypt and Firewall rules”, which states:
For all challenge types: Allow outgoing traffic to acme-v01.api.letsencrypt.org on port 443 (HTTPS).
Right now, DNS (host) returns this:
$ host acme-v01.api.letsencrypt.org acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net. api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net. e981.dscb.akamaiedge.net has address 184.108.40.206 e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:64:591::3d5 e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:64:595::3d5
Are those IP addresses „guaranteed“ to stay stable?
I’ve read „IP addresses of outbound validators stability over time”, which states that the IPs of the servers LE uses for inbound traffic will change and that ports 443 & 80 should be open to the world.
But I’m asking about