A lot of postings in the Let's Encrypt forum concern Firewall blocking. There was a long posting about one particular case in October by georgep which, as far as I can discover, has not yet been addressed.
I understand why Let's Encrypt needs to spin up new IPs from time to time and why it's impracticable to publish a list of them. But there is a fundamental problem inherent in clients not knowing the IPs used.
Many web server admins block server IP ranges from /24 to /11 and more. In running a web server this is necessary. In general, and with few exceptions such as genuine search engines, servers do not need to access web sites. The plethora of bots, hacks and injections hitting web sites from servers can easily be stemmed by blocking those IP ranges - broadband-based botnets are a different and partly unresolvable problem.
Let's Encrypt's arbitrary IPs often fall within those blocked ranges. Every few weeks I have to extract IP ranges from the Firewall until the probe works and I get a renewed certificate for one or more of my couple of dozen sites. The process is necessarily hit and miss - the probe's IP may be from a range I've recently blocked or from one blocked years ago.
Using a DNS solution is not an option for many people. Not all DNS administrators allow outside agents to write to their servers - and why should they? It's just one more potential weak spot in an already weak system.
May I propose a solution to this? When a probe is refused access, send an email to the address you hold for that domain saying which IP was refused. This would simplify our task of working through Firewalls on an ad hoc basis.
Is there any reason why this cannot be done?