Whitelist hostnames for certbot validation?

Greetings,

I’ve white listed the following hostnames to allow incoming port 80 connections -

outbound1.letsencrypt.org
outbound2.letsencrypt.org
acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org

But when I attempt to obtain a new cert, I observe the following IP attempting to connect in on port 80: 52.28.236.88

This IP does not appear to be in any of the resolved names above. Am I missing a hostname or hostnames to add to my whitelist?

Thanks!
Rucio

Let’s Encrypt’s policy is that you should allow all IPs to access the validation paths on your website instead of blocking or allowing individual IPs.

The alternative is to use DNS validation (while allowing all IPs to access your DNS servers…).

They recently enabled multiple perspective validation, which is why you’re seeing requests from new IPs now, but it’s possible for them to change at any time.

Hello!

I would rather not open port 80 as there’s no need for the world to access the site I’m installing a certificate on. I understand that IP addresses change, but my firewall has a feature to look up any number of IPs via hostname and use that in allow rulesets. I am not asking for IPs but hostnames which resolve to the multitude of IPs that could be attempting validation. In the past this was through the above hostnames, are you saying that has been discontinued now? Because that would potentially put systems at risk if they had to allow port 80 requests from *.

I’ve looked into DNS validation and it won’t be possible for me to configure that.

Thanks,
Rucio

Then don’t open port 80 and serve your website on 443 exclusively (that means no redirect!)

Use --standalone and get your firewall to open and close port 80 with --pre-hook and --post-hook (read the certbot documentation) – this way your port 80 will only be open for a few minutes every 60 days.

Make triple sure you have nothing listening locally on port 80, or --standalone will not work.

I don't think that was ever guaranteed to work.

It's true that it won't work right now, since the new validation IPv4 addresses currently have generic reverse DNS entries from their provider, and none of the IPv6 addresses have any reverse DNS at all.

Just to clarify, not asking for reverse DNS, just forward DNS for IPs (as I said, I’m good with resolving whitelists to firewall rules).

This was actually the documented approach back in the day, using those two outbound hostnames for whitelisting firewall rules. Worked quite well for the longest time and then stuff changed :slight_smile:

Rucio

Unfortunately need port 80 for internal use. You mention to use port 443, but I also don’t want to expose 443 to the world as this is a PBX and the cert is needed for SIP TLS.

Odd that whitelisting isn’t an option anymore. Any thoughts on why?

Rucio

If dns is not an option, and port 80 is needed, you might want to install nginx on there and use it to do two things:

  • validate with certbot via http-01 (and the hooks for the firewall, etc); and
  • reverse proxy the current application (with checks on source ip, etc etc...)

it never was an option, afaik.

1 Like

I read the details and understand now why the change was called for. Hmm, I wish there was a non-exploitable way that a server can be verified without opening up ports to the world!

I think I’ll manually renew my certs for the time being until something better is introduced.

Rucio

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.