Second validation was failing due to my firewall

Hi there. We recently discovered that our AutoSSL (that was functioning perfectly for years) started to alert us of errors, specifically on the second validation to the acme txt dns.

Anyway, after some digging and similar posts here found out that it could be two options:

1.- The 2nd validation servers had problems
2.- My server's firewall is blocking those incoming connections.

So made a quick test, turned off firewall on my box and AutoSSL completed successfully.

I need to whitelist these Second Validation servers on my Firewall, just wondering if someone here can help me with the IP's of such servers or their range.

Im trying to find the blocked ip's on my firewall but its been a pain in the rear to find them.

Thanks for reading!

It has been discussed to death here for years and they takeaway is always the same. The policy is not going to change.

Let's Encrypt does not

publish a list of IP addresses we use to validate, and these IP addresses may change at any time.

Ohh ok, I get it makes sense. Thanks for the head's up.

Uhmm wondering how can I fix this.... its like finding the needle in the haystack!

The easiest way is to allow unfiltered access to port 80. If you will not or can not do that, you will need to change to DNS-01 validation. As long as you are not geoblocking DNS queries to your authoritative nameservers, that method should work.

Just adding on to @linkp comment is this Let's Encrypt post

@linkp @MikeMcQ Looking at

OP is already using the dns-01 challenge?

Oh, maybe so ! I often don't read such things that literally ...

Wow. I didn't catch that because, who geoblocks blocks DNS queries to authoritative nameservers?

Yeah, that's the only part which would be a reason to believe OP is not using the dns-01 challenge: who geoblocks their DNS server?

Well, I thought AutoSSL only had limited support for DNS Challenge which did not include self-hosted DNS. So, there's that too. I could be remembering wrong though.

That's also something I considered, but don't know for sure. And was too lazy to doublecheck.

Not this one:

Well, "that box" could also be the authorative nameserver

But I agree, it doesn't sound very probably, but OP does mention "acme txt dns", whatever that may mean besides the dns-01 challenge

Then it would also have to have sole authoritative control of that DNS zone.
That is usually done with [at least] two distinct systems.

Usually yes, but not always (For hobby/home situations or something similar..)

It is disturbingly common to see ns1 and ns2 both resolve to the same IP in cheap shared cPanel hosting setups. I have no idea if that is the case here.

Yes, why not? I mean, we have five cars in my house and we all share one single spare tire!
ROFLMAO

Some people do, but...

LetsEncrypt follows CNAMES, so you can delegate a DNS-01 challenge from a public authoritative server onto a semi-public server. I do that with acme-dns challenges, and use hooks to open/close the firewall during certbot operations.

How would I get the CNAME response, if my request was geoblocked?

No, the semi-public server to which the CNAME points would be (geo)blocked.