So the simplest way is to manually open the firewall for issuance and renewals and close it again afterwards.

You can use the following command that will put the rule at the very top, so the accepted packets will not be processed further:

iptables -I INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

Once the certificate was installed remove the rule

iptables -D INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

make four total validation requests (1 from a primary datacentre, and 3 from remote datacentres). The primary request and at least 2 of the 3 remote requests must receive the correct challenge response value for the domain to be considered authorized.

Note: Currently LE does not publish the IPs it uses, so you can not fully white list Lets Encrypt IPs.

I did white list the below CIDR ranges, however this doesn't promise they are fully used by LE, or that they won't change:

138.197.176.0/20, 172.65.0.0/16, 172.65.32.0/20, 172.65.32.248, 172.65.46.0/24, 18.116.86.0/24, 18.197.97.0/24, 2606:4700:60:0:f53d:5624:85c7:3a2c, 52.28.236.0/24, 52.28.236.88, 64.78.149.0/24, 66.133.109.0/24, 3.128.26.105, 34.209.232.166, 34.222.229.130, 52.15.254.228, 64.78.149.164, 66.133.109.36

You can probably reduce the wide acceptance (--dports 80,443) to only HTTP (port 80).
[If the challenge files are being handled in HTTP - without HTTPS redirection.]

Another solution is to use DNS validation instead of http validation, that way you don't need to open your firewall at all.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.