Let’s Encrypt’s policy is that you should allow all IPs to access the validation paths on your website instead of blocking or allowing individual IPs.
The alternative is to use DNS validation (while allowing all IPs to access your DNS servers…).
They recently enabled multiple perspective validation, which is why you’re seeing requests from new IPs now, but it’s possible for them to change at any time.
I would rather not open port 80 as there’s no need for the world to access the site I’m installing a certificate on. I understand that IP addresses change, but my firewall has a feature to look up any number of IPs via hostname and use that in allow rulesets. I am not asking for IPs but hostnames which resolve to the multitude of IPs that could be attempting validation. In the past this was through the above hostnames, are you saying that has been discontinued now? Because that would potentially put systems at risk if they had to allow port 80 requests from *.
I’ve looked into DNS validation and it won’t be possible for me to configure that.
Then don’t open port 80 and serve your website on 443 exclusively (that means no redirect!)
Use --standalone and get your firewall to open and close port 80 with --pre-hook and --post-hook (read the certbot documentation) – this way your port 80 will only be open for a few minutes every 60 days.
Make triple sure you have nothing listening locally on port 80, or --standalonewill not work.
It's true that it won't work right now, since the new validation IPv4 addresses currently have generic reverse DNS entries from their provider, and none of the IPv6 addresses have any reverse DNS at all.
Just to clarify, not asking for reverse DNS, just forward DNS for IPs (as I said, I’m good with resolving whitelists to firewall rules).
This was actually the documented approach back in the day, using those two outbound hostnames for whitelisting firewall rules. Worked quite well for the longest time and then stuff changed
Unfortunately need port 80 for internal use. You mention to use port 443, but I also don’t want to expose 443 to the world as this is a PBX and the cert is needed for SIP TLS.
Odd that whitelisting isn’t an option anymore. Any thoughts on why?
I read the details and understand now why the change was called for. Hmm, I wish there was a non-exploitable way that a server can be verified without opening up ports to the world!
I think I’ll manually renew my certs for the time being until something better is introduced.