Today I created my first LE certificate and here is my short feedback/suggestion; I used manual mode, to complete the process I was told to create a static page or run a python script. The python script wasn’t my default choice as it needs port 80 (means it require elevated permissions + stopping the existing process listening on port 80).
So my suggestion is that LE will provide a list of IP addresses that the validation is made from, system administrators will set a firewall rules to redirect traffic comes from these IP address to the port the python script listen on.
for example (1.1.1.1 is the server’s external IP, 2.2.2.2 is one of LE ip addresses, 5050 is the port the python script listens on):
/sbin/iptables -t nat -A PREROUTING -i eth0 -s 2.2.2.2 -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to 1.1.1.1:5050
Notice, the machine you ran the ‘letsencrypt-auto’ script is also connecting to the python script (performing pre-validation [?], proof of work [?]), so you will need to add a rule for that machine’s ip address also.