i have my server hosted on AWS EC2. Therefore all outgoing / incoming traffic is handled by the security group. I allowed all outgoing traffic but is there any IP of let`s encrypt which i have to allow for the incoming traffic?
I am also using laravel forge and this is the error i get
Cloning into 'letsencrypt1457443395'...
nginx stop/waiting
nginx start/running, process 9907
# INFO: Using main config file /root/letsencrypt1457443395/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing demo.shopwareianer.com
+ Signing domains...
+ Creating new directory /root/letsencrypt1457443395/certs/demo.shopwareianer.com ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for demo.shopwareianer.com...
+ Responding to challenge for demo.shopwareianer.com...
ERROR: Challenge is invalid! (returned: invalid) (result: {"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://demo.shopwareianer.com/.well-known/acme-challenge/M2_TlbzQwVIGgCce6VKpoDaHtxrTHdy1KHrem1IdYSI [52.29.114.93]: 403"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/eYW2d7Rl_lHDjcY2lXmKaF3HJizK8uTyNLvjM1ahPpU/24625061","token":"M2_TlbzQwVIGgCce6VKpoDaHtxrTHdy1KHrem1IdYSI","keyAuthorization":"M2_TlbzQwVIGgCce6VKpoDaHtxrTHdy1KHrem1IdYSI.Qq9MyiSo8o0XaKe20EASsWJURfkPZTeH_o-xY0KkyDk","validationRecord":[{"url":"http://demo.shopwareianer.com/.well-known/acme-challenge/M2_TlbzQwVIGgCce6VKpoDaHtxrTHdy1KHrem1IdYSI","hostname":"demo.shopwareianer.com","port":"80","addressesResolved":["52.29.114.93"],"addressUsed":"52.29.114.93"}]})
We've had a related thread here where it was explained that there is no specific IP address that can be used consistently.
It would be easy to find out which IP address is currently used, but there are plans in the work to use varying and potentially unpredictable IP addresses in the future so we've strongly discouraged somehow hard-coding the IP address. As @jsha said in the other thread, if you can't allow arbitrary inbound connections for the validation, the DNS challenge might be more appropriate for you.
Wouldn’t be possible to have a well known domain name like validator.letsencrypt.org which resolve to all the ips used (A ipv4 and AAAA ipv6) by letsencrypt to do the validation challenge ?
Keep a TTL low (something between 5m and 1h) and it would be a pretty accurate list of ips used by letsencrypt.
And some of us that want to filter from or to these ips can do it: sudo iptable -t nat -A PREROUTING -s validator.letsencrypt.org -p tcp -m tcp --dport 80 -j DNAT --to-destination A.B.C.D:80
The above command will add an entry in linux netfilter for each A record of validator.letsencrypt.org.
One of the goals behind using an unpredictable set of IPs (Tor was one of the options being discussed IIRC) is to make spoofing attacks on challenge requests harder. Publishing a list of IP addresses, whether it’s done via DNS or any other means, wouldn’t be a good idea with that in mind. If your web service isn’t publicly available, maybe dns-01 validation would be a better option for your use-case.