Whitelisting letsencrypt.org IPs?
3,982 views
Skip to first unread message
Jacek Wielemborek
Dec 8, 2015, 11:07:46 AM12/8/15
to ca-...@letsencrypt.org
Hello,
I'd like to open port 80 only to letsencrypt.org. Is there a minimal
list of IPs I can let in to get a certificate?
Cheers,
d33tah
I'd like to open port 80 only to letsencrypt.org. Is there a minimal
list of IPs I can let in to get a certificate?
Cheers,
d33tah
Shane Kerr
Dec 8, 2015, 11:15:45 AM12/8/15
to Jacek Wielemborek, ca-...@letsencrypt.org
Jacek,
At 2015-12-08 17:07:38 +0100
shane@pallas:~$ host -t ns letsencrypt.org
letsencrypt.org name server a14-64.akam.net.
letsencrypt.org name server a1-16.akam.net.
letsencrypt.org name server a9-67.akam.net.
letsencrypt.org name server a20-66.akam.net.
letsencrypt.org name server a18-65.akam.net.
letsencrypt.org name server a11-67.akam.net.
If someone is using a CDN the answer to your question is surely "no".
Depending on your use case perhaps you could restrict access to only
the client process, or use DNS to get the IP addresses and open them up
right before you run the client then close them when the run is
complete.
Cheers,
--
Shane
At 2015-12-08 17:07:38 +0100
Jacek Wielemborek <d33...@gmail.com> wrote:
> I'd like to open port 80 only to letsencrypt.org. Is there a minimal
> list of IPs I can let in to get a certificate?
It looks like letsencrypt.org uses Akamai:
> I'd like to open port 80 only to letsencrypt.org. Is there a minimal
> list of IPs I can let in to get a certificate?
shane@pallas:~$ host -t ns letsencrypt.org
letsencrypt.org name server a14-64.akam.net.
letsencrypt.org name server a1-16.akam.net.
letsencrypt.org name server a9-67.akam.net.
letsencrypt.org name server a20-66.akam.net.
letsencrypt.org name server a18-65.akam.net.
letsencrypt.org name server a11-67.akam.net.
If someone is using a CDN the answer to your question is surely "no".
Depending on your use case perhaps you could restrict access to only
the client process, or use DNS to get the IP addresses and open them up
right before you run the client then close them when the run is
complete.
Cheers,
--
Shane
Jeff Palmer
Dec 8, 2015, 11:35:51 AM12/8/15
to Shane Kerr, Jacek Wielemborek, ca-...@letsencrypt.org
While this isn't a direct answer to your question, it may help?
In my environment, I use haproxy. I setup an ACL so anything destined
for /.well-known/ is sent to the appropriate backend for the
letsencrypt client. Anything else is either denied or redirected with
a 301 to https.
> --
> You received this message because you are subscribed to the Google Groups "Let's Encrypt CA Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ca-dev+un...@letsencrypt.org.
>
--
Jeff Palmer
https://PalmerIT.net
In my environment, I use haproxy. I setup an ACL so anything destined
for /.well-known/ is sent to the appropriate backend for the
letsencrypt client. Anything else is either denied or redirected with
a 301 to https.
> You received this message because you are subscribed to the Google Groups "Let's Encrypt CA Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ca-dev+un...@letsencrypt.org.
>
--
Jeff Palmer
https://PalmerIT.net
Kevin Chadwick
Dec 8, 2015, 12:11:13 PM12/8/15
to ca-...@letsencrypt.org
I hate akamai, it has prevented me confirming downloads or checksums
have come from the expected https source domain (not sure this is a
problem on letsencrypt.org btw) and shows a cert from akamai at times
which tells me next to nothing security wise??
--
KISSIS - Keep It Simple So It's Securable
have come from the expected https source domain (not sure this is a
problem on letsencrypt.org btw) and shows a cert from akamai at times
which tells me next to nothing security wise??
--
KISSIS - Keep It Simple So It's Securable
Reply all
Reply to author
Forward
0 new messages