On Sophos Firewalls, actually SG firewall with version 9.x with enabled country blocking feature: At various sophos community articles the suggested way to get LetsEncrypt working is to exclude the following DNS Group's from the country blocking feature. (In Sophos World, "DNS Group" is a dns entry with multiple ip's if you dont know).
But the verifications done by let's encrypt servers are still blocked. It seems that there are connections from various amazon cloud servers in addition.
So my question is:
Does somebody know the "real-list" of all dns addresses of used sources from letsencrypt verification process?
But i'm searching for the DNS Names, IP-Ranges, Network IDs ...
Everything i can transform into a rule for the firewall. I cant disable the whole feature because of Let's Encrypt.
Let's Encrypts validation servers check from many places on the Internet because they need to validate that you own the name as seen from all vantage points on the Internet. They do not and will not publish network ranges because where they check from constantly change.
You need to either allow all traffic from everywhere for HTTP (at least while running renewals; some people go so far as to script opening up the firewall at the start of renewing and closing it up again afterwards); or switch to a DNS-01 challenge (where you automate updating your DNS, and assuming you allow access to the DNS server from everywhere even if you don't want to allow HTTP from everywhere).
Yes, but no.
The (not so big) hole only needs to be for HTTP (if you do HTTP auth and don't redirect the challenge requests to HTTPS).
If you do DNS auth, then there is no HTTP hole required.
Okay... yes we have a http to https redirection active in the firewall. Okay that means i can create an https exception for our target ip's without http. I will verify that.
As far as i saw, all connection came from Amazon AWS servers from the US. But that doesnt mean that another connection will come from another aws server location or another cloud provider. So "any" exception for https in country block is needed.
My suggestion was to allow HTTP from everywhere.
Handle the authentication requests in HTTP.
Forward all else to HTTPS.
[block any/all countries from HTTPS only]