I want to configure my EC2 security groups to only allow incoming requests from our organization, but I realize that certbot renewals need incoming requests to be allowed too. How can I configure it so that I don’t have to open all incoming requests to anyone in the world?
You don’t; LE has repeatedly and explicitly said they may do validation from any place, any network. If you don’t want this exposure, you might want to look into DNS validation instead.
you can’t direct restrict that. But - perhaps - you can create additional rules, so that only content of
is send, other may be blocked with a http-status 401 or something else.
The letsencrypt-validation needs only this subdirectory, no /, /index.html or other files.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.