Server IP of Let`s Encrypt


#1

Hi,

i have my server hosted on AWS EC2. Therefore all outgoing / incoming traffic is handled by the security group. I allowed all outgoing traffic but is there any IP of let`s encrypt which i have to allow for the incoming traffic?

I am also using laravel forge and this is the error i get

Cloning into 'letsencrypt1457443395'...
nginx stop/waiting
nginx start/running, process 9907
# INFO: Using main config file /root/letsencrypt1457443395/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing demo.shopwareianer.com
 + Signing domains...
 + Creating new directory /root/letsencrypt1457443395/certs/demo.shopwareianer.com ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for demo.shopwareianer.com...
 + Responding to challenge for demo.shopwareianer.com...
ERROR: Challenge is invalid! (returned: invalid) (result: {"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://demo.shopwareianer.com/.well-known/acme-challenge/M2_TlbzQwVIGgCce6VKpoDaHtxrTHdy1KHrem1IdYSI [52.29.114.93]: 403"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/eYW2d7Rl_lHDjcY2lXmKaF3HJizK8uTyNLvjM1ahPpU/24625061","token":"M2_TlbzQwVIGgCce6VKpoDaHtxrTHdy1KHrem1IdYSI","keyAuthorization":"M2_TlbzQwVIGgCce6VKpoDaHtxrTHdy1KHrem1IdYSI.Qq9MyiSo8o0XaKe20EASsWJURfkPZTeH_o-xY0KkyDk","validationRecord":[{"url":"http://demo.shopwareianer.com/.well-known/acme-challenge/M2_TlbzQwVIGgCce6VKpoDaHtxrTHdy1KHrem1IdYSI","hostname":"demo.shopwareianer.com","port":"80","addressesResolved":["52.29.114.93"],"addressUsed":"52.29.114.93"}]})

Does someone know how to solve this problem?


#2

Hi,

We’ve had a related thread here where it was explained that there is no specific IP address that can be used consistently.

It would be easy to find out which IP address is currently used, but there are plans in the work to use varying and potentially unpredictable IP addresses in the future so we’ve strongly discouraged somehow hard-coding the IP address. As @jsha said in the other thread, if you can’t allow arbitrary inbound connections for the validation, the DNS challenge might be more appropriate for you.


#3

Wouldn’t be possible to have a well known domain name like validator.letsencrypt.org which resolve to all the ips used (A ipv4 and AAAA ipv6) by letsencrypt to do the validation challenge ?
Keep a TTL low (something between 5m and 1h) and it would be a pretty accurate list of ips used by letsencrypt.

And some of us that want to filter from or to these ips can do it:
sudo iptable -t nat -A PREROUTING -s validator.letsencrypt.org -p tcp -m tcp --dport 80 -j DNAT --to-destination A.B.C.D:80
The above command will add an entry in linux netfilter for each A record of validator.letsencrypt.org.


#4

One of the goals behind using an unpredictable set of IPs (Tor was one of the options being discussed IIRC) is to make spoofing attacks on challenge requests harder. Publishing a list of IP addresses, whether it’s done via DNS or any other means, wouldn’t be a good idea with that in mind. If your web service isn’t publicly available, maybe dns-01 validation would be a better option for your use-case.


#5

the IP list could also be helpful when you have geo-targeting in place, not just for firewalling