Servers and IP addresses used by Let's Encrypt

A vendor we use uses Let’s Encrypt and has asked me to allow port 80 (HTTP) through our firewall.

I have done this, however we use country blocking.

I was wanting to know if I could get a list of IP addresses or websites which Let’s Encrypt use for automatically updating our certificate.

Or what region/country are your servers in which I could whitelist the region/country.

Welcome to the community @hilla

There are many threads about this including an FAQ. But, in short, no, IP addresses are not published.

Are you able to allow-list any URI starting with /.well-known/acme-challenge/

Because that is the format of the HTTP Challenge which uses port 80. You could continue to block any other URI

The FAQ answer (link here)

This is a good thread about a recent change

6 Likes
6 Likes

Hi @hilla
Info is so important. And this is hitting the spot on my tooth that almost hurts.. This an issue we will see more and more of in the future until we can figure out how to enlighten administrators how to deal with world-wide validations.

If you don't mind me asking, what firewall is in use?
And secondly How are you blocking countries?
This is important information for the record.
BTW: There are ways to block entities without completely blocking entire geographic areas of the planet.

I see Mike and Peter have responded, and they are VERY intelligent folks. My questions are totally based on security "recon" and your response may help me/us find a way to share the message on firewall practices (that many sys admins do not share) that in the end can bolster your security and help a lot of other people too.

As to the question of the title of this thread, you log files will be a big help.

5 Likes

Hi Rip Leader
We use Sophos XGS Firewall.
I ended up allowing Sweden and Singapore yesterday and all appears to be working today.
I also added a heap of Lets Encrypt urls too.

Thanks.

2 Likes

That sounds odd. Can you give some examples? [To allow ACME http validation from any CA, just allow any IP to request /.well-known/acme-challenge via http]

8 Likes

Please note that we can't guarantee this will work, since in the future, we may change the countries of our validation endpoints without notice.

6 Likes