Hi,
We are using geo-fencing to protect our website, we limit the access to our country IP's.
When certbot runs, it fails because the process is based on IP addresses outside of our country, probably in the US. We get "firewall issue" in the log and the first time, I realized it was the fencing.
Are those IP's publicly known ? Is there a CIDR block I could allow ?
At the moment, I am reverting to open Internet access during the cycle where certbot retries.
Thank you
No.
No.
Let's Encrypts validation servers are situated at multiple locations around the world.
Is a DNS Challenge possible for you? That way only your Public DNS server needs to be available world-wide.
This may be helpful to review: Multi-Perspective Validation & Geoblocking FAQ
Currently, Let's Encrypt uses US IP addresses for primary validation, and AWS instances for secondary validation located in regions in the US, Sweden, and Singapore.
That will change in the future, and may change without notice if required (eg, in the event of an AWS regional outage).
Ok, understood. I have a work around process that is quite manageable anyways
Note that the reason letsencrypt tries from multiple locations is to prevent a hacker from being able to send a fake BGP packet to the data center they have their test servers in and in turn be able to pretend they have your IP address and passing the challenge.
By not knowing which IP's and exact datacenters lets encrypt is going to use for your challenge, this becomes a lot harder (history has shown that just validating the challenge one time is possible to hijack, but an attack on multiple ip address has never happened)
If geofencing is a requirement for your company, use the DNS challenge.
If a HTTP or APL challenge is required, consider running multiple web servers, then source route in between the 2 servers depending if the ip is on the allow list. The "outside traffic" server runs on a different user and can only access the certbot validation files and serves a 451 for other files
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.