Whitelist LetsEncrypt Server IPs

We had issues validating via http, until we found out our Geo blocking rule in the Firewall was blocking the second validation attempt from LetsEncrypt.

The connections come from Singapore and Sweden, so we whitelisted them. Instead, we want to whitelist the IPs used in the letsEncrypt validation process

Is there any way to whitelist LetsEncrypt server's IPs instead of whitelisting the locations?

No, there is not, that would defeat the purpose of these (possibly changing at any moment) multiple vantage points.

Please see the following entry of the FAQ: FAQ - Let's Encrypt

9 Likes

If you absolutely need to block general incoming http requests consider whether you can instead allow all incoming http /.well-known/acme-challenge requests by inspecting http traffic at the firewall, this would allow http validation to work normally. Alternatively, use DNS domain validation instead of HTTP domain validation.

3 Likes

Thanks for the suggestion, I'll bring this up to our team and confirm if worked.
Under our current process, DNS validation creates more steps, dependencies and complexity. os HTTP validation is ideal.
Thanks again!

2 Likes