Since the amazon cloud is one of the major spam sending networks and a lot of abuse originates from it. I dont think letsencrypt should associate itself with such party. Furthermore by using those ip ranges you are forcing providers to open firewalls they previously closed for this amazon cloud.
We've had a number of threads on this forum related to different aspects of this, but per
and this very recent thread
Let's Encrypt isn't willing to commit to connecting or not connecting from any particular part of the Internet, or otherwise support people making firewall exceptions specifically for Let's Encrypt IP addresses. If there are any IP addresses from which you don't want to allow inbound challenge connections, we request that you use the DNS-01 challenge method.
I should clarify that it’s fine to block requests other than HTTP requests starting with
/.well-known/acme-challenge/ (for HTTP-01) or HTTPS ClientHello messages presenting SNI for names ending in
.acme.invalid (for TLS-SNI-01). Let’s Encrypt doesn’t insist on being able to send arbitrary traffic to arbitrary parts of websites for these validation methods.
the cloud which let’s encrypt chooses is up to them really.
I am not sure why you would suggest a certificate authority such as lets encrypt makes changes to their infrastructure.
(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)
or otherwise support people making firewall exceptions specifically for Let’s Encrypt IP addresses.
Why not? Your business is to supply certificates and authenticate the domain (ownership)? In the mentioned threads I don’t read any argumentation why validating from your ‘hidden’ ip’s is better than from known published ip’s? Can you elaborate on this?
Amazon is an infrastructure as a service provider
They provide services which people can use in different ways
Not everyone on amazon is misusing the services. In fact very large organisations and governments use AWS services.
Almost every web hosting company and Infrastructure as a Service provider will have people who abuse the service. It doesn’t mean that everyone else using the service agrees with them.
AWS selection is usually based on availability, security, pricing and ease of use. Almost no one picks a Infrastructure as a service provider using your rationale.
once again this is a normal process for Software as a service providers
Validating from non published IPs means they can load balance around the world and choose how they approach a problem.
Having to use certain IPs adds a lot of overhead.
Most modern firewalls can support host name based filters and this has been discussed before.
I’ve closed this topic since the tone between participants is degrading quickly and the original topic has been addressed by @schoen.