- February 20, 2020 at 8:28 pm
this what let’s encrypt says about it:
If you can’t allow inbound connections from arbitrary IP addresses, you’re requested to use the DNS-01 validation method instead of HTTP-01.
We plan to frequently change the set of IPs from which we validate, and will validate from multiple IPs in the future. Any host answering challenges should have port 80 or 443 available to the Internet.
Another comment from Certbot Engineer / EFF
The Let’s Encrypt CA does not want to announce particular IP addresses that are used in validation because of a desire to change them periodically (partly in order to make it harder for attackers to be able to cause misissuance). While you could figure out what addresses are currently used, they may change at any time and will not be documented. If you can’t allow inbound connections from the general public to the service that you’re trying to validate, you can use the DNS challenge type (which just requires letting the Let’s Encrypt CA look up your DNS records associated with that name).
So, in the future, we will try to add the DNS challenge option. By now, If you are using let’s encrypt, you must disable the firewall to renew the certificate.0