Work around about AWS in second validation fail

We have an very strict firewall policy to block all AWS incoming traffic. We block all IP V4 ranges of AWS.
Due new multivalidation process our certificates renew requests fails on Secondary validation.
Lookin for info about it I read that this secondary validation initiates on Amazon. I Turned off our AWS firewall policy and everything works fine! All certificates renew in seconds.
I also read LetsEncrypt will not provide IP address to whitelist it on firewall to keep this new process more secure… so…

there is any other work around to this?

Thank you!

-Sorry if my english is not good.

1 Like

You might be able to make a setup which can allow access to /.well-known/acme-challenge/ from AWS, but deny every other path.

1 Like

Hi @estebanhelpdesk


is your answer. If you want to use http validation, you have to allow port 80 worldwide.


1 Like

The validation servers support IPv6


you got at least two valid options, and here’s a third: use your client’s hooks (--pre-hook and --post-hook usually) to only open port 80 worldwide during the validation.

1 Like

Or use tls-alpn-01 which uses port 443 and does not require port 80 to be open at all.

1 Like

Or use dns-01 which doesn’t require incoming connections at all. :stuck_out_tongue:

dns-01 can be tricky, even if you have full control of your DNS

thank you! I cant do that (allow just .well-kwown… path) , because my hardware firewall caped AWS IP addresses before they arrive to the Software (second firewall and webserver)

To whom answered about port 80 and 443, AWS cant see any open any port on our server.

Thank you ALL!

1 Like

I am using Cert the web client, and for DNS validation ask for a code to add in my dns.
I have full access to our dns, i can create a TXT record for it, BUT I cant find what really put in these record.

I found some entrys talking about it in forums and docs, but none works fine for me. Also some guys recomends dont use this method.

Web clients aren’t recommended, because those cannot be automated.

I think they mean , a standalone Windows client.

If this is still an issue (not knowing how to do DNS validation with Certify The Web) please drop by or email support at

You may also find relevant info about DNS validation at if you are using a supported DNS provider. We are about to add many more DNS providers in v5.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.