Hi there. We recently discovered that our AutoSSL (that was functioning perfectly for years) started to alert us of errors, specifically on the second validation to the acme txt dns.
Anyway, after some digging and similar posts here found out that it could be two options:
1.- The 2nd validation servers had problems
2.- My server's firewall is blocking those incoming connections.
So made a quick test, turned off firewall on my box and AutoSSL completed successfully.
I need to whitelist these Second Validation servers on my Firewall, just wondering if someone here can help me with the IP's of such servers or their range.
Im trying to find the blocked ip's on my firewall but its been a pain in the rear to find them.
The easiest way is to allow unfiltered access to port 80. If you will not or can not do that, you will need to change to DNS-01 validation. As long as you are not geoblocking DNS queries to your authoritative nameservers, that method should work.
Well, I thought AutoSSL only had limited support for DNS Challenge which did not include self-hosted DNS. So, there's that too. I could be remembering wrong though.
It is disturbingly common to see ns1 and ns2 both resolve to the same IP in cheap shared cPanel hosting setups. I have no idea if that is the case here.
LetsEncrypt follows CNAMES, so you can delegate a DNS-01 challenge from a public authoritative server onto a semi-public server. I do that with acme-dns challenges, and use hooks to open/close the firewall during certbot operations.