I have a dev website using letsencrypt certs that is now failing to renew. Because the website is dev, I limit exposure to the internet at large via apache acls. I have acls entries in place to allow renewal from letsencrypt.org which has worked perfectly in the past. Looking at apache logs after the failure, I see requests to the .well-known directory from amazonaws.com. I am assuming they requests are legit and will add an acl entry for it. The documentation still claims that issuances and renewals originate from letsencrypt.org. Documentation should be updated to reflect other domains that authenticator requests may come from.
Where do you see that documentation? Because the Let’s Encrypt docs clearly say you shouldn’t use ACLs because Let’s Encrypt explicitly doesn’t list the sources it’s validating from! https://letsencrypt.org/docs/faq/
FYI, the official announcement of this change was here:
IMO best practices would be to use your standard ACLs to block access to everything, then allow everyone access to only the .well-known/acme-challenge/ directory which should always be empty except for a few moments during renewal.
Or use a different challenge like DNS-01
And if that’s too “open”, you might be able to temporarily allow access to
/.well-known/acme-challenge/ during a renewal by scripting something.
If you proxy all port 80 connections (or just send them to another server), then your risk is already minimized.
Ideally only the
/.well-known/acme-challenge/ requests would ever hit your actual web server (and even then, only via proxy).