patternMinor
AWS Security group rule for certbot renewal
Viewed 0 times
grouprulerenewalcertbotsecurityforaws
Problem
I want to add a rule to my
What is the best way of doing this, given that sg rules do not support hostnames but only IPs?
aws security group to allow for incoming traffic from the acme server (I guess it is acme-v01.api.letsencrypt.org) to issue and automate the renewal of my cert;What is the best way of doing this, given that sg rules do not support hostnames but only IPs?
Solution
You just can not because from Let's Encrypt FAQ:
-
What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because
they may change at any time. In the future we may validate from
multiple IP addresses at once.
You will need a reverse proxy (usually a WAF), routing /.well-know/acme to a machine and answering the challenges (from anywhere) and doing the IP filtering before forwarding to your application all other requests.
-
What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because
they may change at any time. In the future we may validate from
multiple IP addresses at once.
You will need a reverse proxy (usually a WAF), routing /.well-know/acme to a machine and answering the challenges (from anywhere) and doing the IP filtering before forwarding to your application all other requests.
Context
StackExchange DevOps Q#3569, answer score: 3
Revisions (0)
No revisions yet.