Hi,
We are using geo-fencing to protect our website, we limit the access to our country IP's.
When certbot runs, it fails because the process is based on IP addresses outside of our country, probably in the US. We get "firewall issue" in the log and the first time, I realized it was the fencing.
Are those IP's publicly known ? Is there a CIDR block I could allow ?
At the moment, I am reverting to open Internet access during the cycle where certbot retries.
Thank you
No.
No.
Let's Encrypts validation servers are situated at multiple locations around the world.
Is a DNS Challenge possible for you? That way only your Public DNS server needs to be available world-wide.
This may be helpful to review: Multi-Perspective Validation & Geoblocking FAQ
Currently, Let's Encrypt uses US IP addresses for primary validation, and AWS instances for secondary validation located in regions in the US, Sweden, and Singapore.
That will change in the future, and may change without notice if required (eg, in the event of an AWS regional outage).