Will whitelisting acme-v01.api.letsencrypt.org enable "intranet" proxy's HTTP Challenges?


#1

I am trying to setup a Caddy server as a Let’s Encrypt-enabled proxy for a web application that is only accessible to hosts behind our firewall. The firewall is configured to block all requests from the Internet to this subnet, but allows for any internal hosts to access it. The firewall also allows all outbound requests out to the Internet from this subnet.

So, I want to find some way of re-configuring our firewall to allow Let’s Encrypt HTTP challenges, but continue to block all other requests from the Internet in to this subnet. Will whitelisting incoming requests from acme-v01.api.letsencrypt.org achieve this?

Thanks.


#2

Hi,

I don’t think this will work since all IPs LE let’s encrypt used can’t be resolved to this name (acme-v01 xxxx)

What I think you can do (if firewall support it),

You can try to add a temporary allow to your firewall before certbot runs, then after the challenges are done, reload the firewall.

For example, on firewalld (since that’s what I used), before challenges, run sudo firewall-cmd --add-service http sudo firewall-cmd --add-service https. After done with script, run sudo firewall-cmd --reload

Thank you


#3

Hi @stevenzhu

If acme-v01.api.letsencrypt.org does not resolve all IPs that Let’s Encrypt utilizes for the challenges, is there a finite list of domains I could whitelist? Are there a few other domains I could whitelist?


#4

I’m sorry but there is not a list of domains you can whitelist…

Thank you


#5

Hi @jonesnc,

This is one of our frequently asked questions:

What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

We recommend that if you are unable to allow public access to port 80 and the /.well-known/acme-challenge directory that you use the DNS-01 challenge type instead of HTTP-01. That will only involve external access to the domain’s authoritative nameservers and won’t require inbound HTTP access.

Hope that helps!


#6

In addition to the other points made in this thread, I’ll just point out that the API endpoints are proxied by a content delivery network, and that the challenge validation connections are never made from the API endpoints.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.