Stuck due to recent changes -- using a Firewall and DNS-01 not possible


I had been using Letsencrypt for quite a while now (over a year) successfully but recently due to changes that were made things “broke” on the way I used to use Let’sencrypt.

I am unable to use the DNS-01 method because my DNS provider does not support an automated way to enter TXT records. This is not an option for me, so I need a viable other option.

Secondly, I am using a FIREWALL, and it is unacceptable to require people to NOT use a firewall… the internet is a dangerous place and operating a server without a firewall is just suicide! So, I strongly suggest that you reconsider your policies because you’re painting a circle that is too small that just does not work anymore. I don’t understand why “hiding” the validation servers is needed? Is this security by obscurity? Well that’s not security, there is no valid reason for hiding the validation servers (DNS names or IP addresses).

I used to use the TLS-01 but I read this is now being removed… and with the recent upgrade, everything broke… so I’m trying to get things working again before my certificate expires.

Anyway, I am sure I will have additional questions as I wade myself through this mess, but as you can see I have been frustrated with this change and the limitations that exist.

You can move to a different DNS provider.

You can also use CNAME or NS records to point the _acme-challenge names at a different DNS provider -- maybe even a DNS server on your own machine -- that does support programmatic updates.

That's how most websites work. Few web servers have perfect security, but a maintained HTTP server doesn't often get compromised.

It makes BGP hijacking attacks against DNS or HTTP slightly more difficult. At the moment, it's not a huge help.

More importantly, it maintains future flexibility for Let's Encrypt to renumber, or implement more serious mitigations for hijacking, without thousands of users having validation break.

(For example, the staging environment already makes requests from other IPs.)

(It's an active research topic.)

Even if web server vulnerabilities are a concern, exposing an HTTP server to the Internet is probably less dangerous than exposing an HTTPS server... An HTTP parser is a smaller attack surface than a TLS implementation, an HTTP/2 parser, and an HTTP parser.

No one's happy that TLS-SNI-01 is being disabled, but it was unfortunately important for security. :slightly_frowning_face:


As @mnordhoff says, you can always change to a different DNS provider. Cloudflare has a well-supported API and provides DNS service for free.

There is no such requirement. But the general purpose of a trusted TLS certificate is to secure public-facing services, which would inherently require that your firewall open some ports to the public. I'm using a firewall, but run a public-facing web/mail server behind it. Thus, HTTP-01 validation works just fine for me. You had to open a port to pass the TLS-SNI challenge anyway; now you just need to open a different one.


I am happy to open a port and allow access to it, that is in fact the purpose of my post, but someone needs to advise whom these “validation servers are” that should be allowed access to it.

I am unable to change DNS providers as that is a significantly more involved process, and if I have to go through that route to make that level of change, then I will just go with a new provider that will provide me with one of their generated certificates. And that defeats the entire purpose of using “Lets’ Encrypt” in the first place.

Unfortunately, due to severe hacking attempts, I need to use a firewall, to block the trouble makers (hackers) out there. So it would be helpful if the validation servers are published so that I know (so that we all know) whom to trust, that the certificates themselves that legitimate and not a forgery created by a hacker who has an underlying motive to compromise the site (or whole networks).

Even the HTTP-01 and DNS-01 approaches are no more safe and secure than than the TLS-01 approach. I can hack these for you if you wish me to prove that they are also just as compromised. I am concerned that some have jumped to early conclusions on these topics.

IHMO, Transparency is critical to security. Hiding the “validation servers” is not in fact security, and it is not a good security practise.

I am pointing these out because I am looking forward to these things being improved so we can all benefit from this.

Hi @treedee,

This has been discussed at considerable length in previous forum threads. Let's Encrypt's position is clear: validation attempts may come from any IP address, including those that have not previously been disclosed; validation IP addresses may change at any time. Let's Encrypt's policy is that someone who does not want to allow inbound connections for validation purposes from an IP address should use the DNS-01 method instead. More and more hosting providers and server software are now automating these processes. If yours doesn't, you have the option to change hosting environments, assume more responsibility for completing the process yourself, or get a certificate from a different CA.

You can of course figure out some of the IP addresses in use now by simply trying to get a certificate and noticing where the requests come from, but Let's Encrypt will not guarantee that those are the only addresses that are used to perform validations and will not notify you when other addresses come into use. So your renewals are likely to break at some point in this case.

That would be great—please do! The most responsible way to pursue this would be to get a domain registrant's permission to try to get a certificate for a domain, without giving you any technical control of any of the associated accounts or infrastructure. Alternatively, you could register your own domain and set it up in a realistic configuration and then try to obtain a certificate for it without using your control over any of the associated accounts or infrastructure.


@schoen's already said that isn't going to happen, and why. But why is this only an issue now? Using the TLS-SNI validator, you had to have a port open to the whole Internet. Using the HTTP-01 validator, you need to have a port open to the whole Internet. Either way, a service on your server is exposed to the Internet. Why is it suddenly critical, now that port 80 needs to be open, that you know the IPs from which the requests will be coming?

You mean you choose not to change DNS providers. It's your choice, to be sure, but then you live with the consequences.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.