I have a client I am busy helping with a setup. For security reasons he does not want open access to port 80 and 443 for the sites I am busy configuring as they are client portals to which he only wants to allow certain IP’s or ranges to access.
As a result webroot authentication has been failing but he has now opened up access for me on port 80 and 443 for all IP’s so I can complete his setup tomorrow morning.
Once I am done tomorrow he will be closing the ports again and only allowing specific IP’s access. So this will rule out a cron job to check for and do certificate renewals which is not optimal and will become tiresome for the client in the future having to open ports, do renewals and then close ports again, especially once there are multiple certificates.
Is there a set of IP’s or an IP block I can provide the client to allow permanent access from LE’s authentication servers?
There isn't and such a list won't be made in the future too. Let's Encrypt keeps the right to change the IP addresses used for authentication at will and won't release lists of it for security reasons.
To me it sounds a bit like "security by obscurity", but that's the current Let's Encrypt policy as far as I know.
If the http-01 or tls-sni-01 challenges can't be used because of such strict limititations, you can always look into the dns-01 challenge.
Thanks @Osiris but that does not make sense to me why LE would want to hide their IP’s? Surely they are publicly accessible IP’s anyway in order for authentication to even work? Surely anyone currently generating and renewing certs on their servers can easily trace those incoming IP’s even if they change?
The client has his reasons unfortunately and I don’t think the DNS challenge is an option either but for now it’s only about 8 certs so he is happy to open the ports and do renewals manually.
We may later just script his firewall to open the ports, do renewal checks and then close the ports after renewal.
Unfortunately I can’t dictate to the client about his firewall methodology or reasoning. He does actually have very valid reasons for allowing only very specific IP’s access to these sites. As they are not public portals and only for paying clients of his.
This has been discussed several times before on the forum. It’s not so much for security of the Let’s Encrypt services as much as it is Let’s Encrypt not supporting this methodology. If they provided the IPs and they subsequently changed, then it would cause a large number of users who had a working configuration to start failing renewals. My understanding is that Let’s Encrypt wishes to reserve the ability to change these ad nauseum.
If you search around, other posts had sometimes creative alternative suggestions for how to handle this process in such an environment.
If access is going to be restricted to specific addresses, that signals it might be a closed system. The owner may actually be better off using a self-signed certificate or making an internal CA that the approved clients can trust. Let’s Encrypt is great for allowing users to trust an otherwise anonymous site, but if there’s already access controls it’s not as big of a deal since both sides can be managed.
Any chance you can use DNS validation instead? Serveral of the clients support major DNS providers which is a more workable solution
Also you should be whitelisting traffic not ports - if someone tries to SSH on port 80 you are actually not more secure etc. Depending on the firewall it might support traffic based rules (which is pretty much the de-factor in the industry now)
Also a reality of working with cloud services is that often they won’t or don’t publish static IPs as they want the ability to move their workloads around and the flexibility to use other providers (AWS vs AZURE etc in the future).
Thanks everyone for the suggestions. For now the client is only going to generate about 8-10 cert’s so for now he is happy to manually open the firewall for issuance and renewals and close it again afterwards and only allow his clients’ IP’s access through the firewall.
@schoen yes absolutely and I’ve made this very clear to the client. I setup
a cronjob for him for the renewals and he has made reminders of his own in
his calendar to remind him when to do the renewals. Not an optimal
situation but the client is well aware of the implications.