Security Group settings for renewals


I want to configure my EC2 security groups to only allow incoming requests from our organization, but I realize that certbot renewals need incoming requests to be allowed too. How can I configure it so that I don’t have to open all incoming requests to anyone in the world?


You don’t; LE has repeatedly and explicitly said they may do validation from any place, any network. If you don’t want this exposure, you might want to look into DNS validation instead.


Hi @arisbanach

you can’t direct restrict that. But - perhaps - you can create additional rules, so that only content of


is send, other may be blocked with a http-status 401 or something else.

The letsencrypt-validation needs only this subdirectory, no /, /index.html or other files.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.