Validation from ip with security issues

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

In this case is not necessary; because the issue was the external protection firewall that stop some ip’s that have problems with blacklist reputation and malware on it.

When we add this ip’s temporarily in a ACL, the process complete the validation of the acme-challenge, but we are not sure of have confidence of this ip’s from Amazon AWS.

We suppose that this ip’s are part of your content delivery network services.

In our perimeter protection service we had ACL for the next IP’s

With the before ACL, the service always work, but this stop working this week.

The next list of the ip’s; the we enter in the temporal ACL, to validate the renew or the create of the new certificate, but the info of IP’s apparently don’t have any relation with letsencrypt.org.

Of Course after the renew/recreate cert; we disable the ACL because we don’t confidence on it, but when the renew time come, the automatic task will be fail.

Exist some list of the ip services, cname or something that tell us what are trusted and put it on a ACL?

I ran this command:

We use letsencrypt-win-simple.V1.9.6.2 and we change to win-acme.v2.1.5.742.x64.pluggable

wacs.exe --target manual --host domain.com --validation filesystem --webroot “C:\sites\www\demos\web” --store pemfiles --pemfilespath C:\sites\www\domain\ssl

It produced this output:

Captura de pantalla de 2020-03-11 10-59-18

My web server is (include version): windows Server 2012

The operating system my web server runs on is (include version): Apache 2.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

If you can’t leave port 80 open, then you should probably just switch to DNS authentication.
There are plenty of threads/topics here that cover how LE is now using multiple validation points and those IPs are NOT set in stone - they can, and will, change without notice.

6 Likes

Thank you .

I understand now the change and the reason.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.