IPs for Certify Verification

the webserver i’m using CTW on is locked down to only allow access from certain IPs. However it seems that the CTW testing and verification process (HTTP-01) requires external access to the server. So my questions is what IPs is CTW using to talk to my server - so i can whitelist these IPs on the firewall


Hi Peter,

Let’s Encrypt don’t publish their validation host IPs and in fact they now perform multiple validations from different geographic regions. You won’t be able to whitelist their IPs. You should switch to using DNS validation.

except our DNS host is not on their list of DNS providers that provide API access to do DNS verification

To use Let’s Encrypt via Certify The Web you unfortunately need to work within the confines of their (Let’s Encrypts) validation process.

  • you could either use a pre-request script to disable your firewall rules or use DNS validation scripting. You can script your own DNS validation if your DNS provider does support some kind of API access. Without knowing which provider it’s difficult to offer more advice.

  • You could use acme-dns DNS validation (CNAME redirection to an acme-dns server). This means you add a CNAME to your DNS once then further automated validation happens on the acme-dns server.

  • You could possibly try switching to BuyPass Go as the certificate authority but I don’t know if their validations come from just one IP or not.

  • There are other more exotic options such as content aware firewall settings (as http isn’t encrypted you can conditionally forward /.well-known/acme-challenge requests) but this will depend on your specific setup.