Security Group settings for renewals


#1

I want to configure my EC2 security groups to only allow incoming requests from our organization, but I realize that certbot renewals need incoming requests to be allowed too. How can I configure it so that I don’t have to open all incoming requests to anyone in the world?


#2

You don’t; LE has repeatedly and explicitly said they may do validation from any place, any network. If you don’t want this exposure, you might want to look into DNS validation instead.


#3

Hi @arisbanach

you can’t direct restrict that. But - perhaps - you can create additional rules, so that only content of

/.well-known/acme-challenge/

is send, other may be blocked with a http-status 401 or something else.

The letsencrypt-validation needs only this subdirectory, no /, /index.html or other files.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.