Not using the template, as I don't think its needed for this.
I had an issue with Apache crashing due to too much traffic from server networks / FLOOD . So I blocked all datacenter IPs with ip route blackhole . Now LetsEncrypt is unable to pass validation.
Can anyone provide a list of the LetsEncrypt server IPs, to remove from my blackhole list? I know they are not usually provided, but at this point I have no other option, so I hope to receive some understanding here.
I am not able to use any other method to block the malicious traffic as I can't pinpoint where it's coming from - there are too many different IPs. I tried using iptables to match HTTP patterns but it didn't work, so I resorted to blackholing.
Are you able to use the DNS Challenge. That way you can block whoever you wish from port 80.
Or, does your ACME Client or web server support TLS-ALPN Challenge? That uses port 443 if that helps at all. Apache supports that in its mod_md component, for example.
I need to switch the blocking to iptables instead of ip route blackhole, but then again - it is failing at making the outbound connection to request the challenge in order to update it.
Idk any other way to block the attacks.
Is there any way to put a permanent TXT record for validation, which LetsEncrypt will eventually cache (nameserver is running on the same machine)?
There may be other ACME-capable Certificate Authorities that publish their IP. I don't know.
Even if you knew the LE IP address ranges used today LE says they may change at any time even at a moment's notice. That isn't helpful for an automated hands-free solution if you block by IP address(es).
Kinda close; you can use something like acme-dns that your main zone does a CNAME to, so that the TXT record gets changed in a special-purpose DNS server, and you don't need to update your main DNS zone.
But even that won't help you if you're blocking port 53 DNS traffic. You need to validate that you control the domain as seen from everywhere on the Internet, and so that requires responding to a challenge of some kind (whether DNS or HTTP) from places around the Internet.
This FAQ might help explain some things:
There are plenty of free certificate providers besides Let's Encrypt, and plenty of paid providers, and many of them support automation with your system, whether through ACME or otherwise. But all of them require you proving control over the domain (either automatically or manually), and will soon all be checking from multiple places around the world (even though many are only checking from one place for now).
If you're blocking port 53 from "server traffic", how do your users resolve your domain name? Since most recursive DNS servers would (presumably) be blocked by your rules?
Regardless... Have you considered externally hosting your DNS? Plenty of low-cost options out there. Most of them have APIs which CertBot supports.