I understand the reasons that LetsEncrypt won't publish the IP addresses for the challenge servers. I also know about DNS-01 (which will not work for us since we need to manually update DNS with our hosting company).
My suggestion is to implement a directive in the renewal configuration file to specify which country the challenge comes from. There could be two forms for this:
- challenge_allow = code,code,code
The challenge only comes from servers that are located in countries with these country codes. - challenge_block = code,code,code
The challenge will never come from a server in a country with the listed country codes.
Examples:
country_allow = US,CA,UK
http challenges would only come from servers in the United States, Canada, or the United Kingdom.
country_block = US,CA,UK
http challenge requests would not come from servers in the United States, Canada, or the United Kingdom.
Implementation:
When a new cert is requested, it goes through the normal process, but the process that triggers the challenge only goes to a server that is in an allowed (or not in the blocked) country.
This does not fully solve some problems people have with the challenge servers IP addresses from being on block lists, but it does solve problems for those who use GeoIP fencing on their webservers.