External addresses required to complete Certify process


I’m having troubles configuring server firewall for Certify to work…

My server (where my web application is hosted) security requirement is that connection from that server to outside resources must be configured in firewall so that connection to only specific addresses can be made. Other connection attempts are blocked.

Few months ago I’ve successfully configured firewall to allow addresses for Certify to work with these firewall exceptions:
And IP address:

But now certificate renewal process fails because instead of previous IP address it tires to call

2019-06-07 13:08:29.313 +03:00 [ERR] BeginCertificateOrder: error creating order. Retries remaining:1 :: System.Net.Http.HttpRequestException: An error occurred while sending the request. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

So my question is:
Is there a list of these IP addresses that may be required for Certify certificate renewal process to complete?
Can I somehow specify which one to use or configure some kind of single proxy?

Hi, Let’s Encrypt don’t publish a list of IP addresses for their service (which this app uses) so no, currently we don’t have a solution for that. It’s possibly to proxy their API through a single IP endpoint but that would also be a single point of failure (and extra infrastructure).

Note also that you don’t need to enable api.certifytheweb.com if you’re not using http validation checks or dashboard status reporting and you can also turn of analytics under Settings (neither of these affect the renewal process).