OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: astromeier on March 02, 2020, 10:56:53 pm
-
The actual version you will find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt)
You can add an alias "URL table (IPs)" with this link.
The FQDN-List you'll find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt)
After having Problems with renewals of certificates I introduced this IP-Whitelist for LetsEncrypt Servers:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
The IPs from cloud services can change over time...
If you have IPs to add feel free....
-
add:
18.196.96.172 (amazon Cloud & A100 ROW GmbH)
updated List:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
-
52.28.236.88 (Amazon Cloud & A100 ROW GmbH) is proven NOT FALSE
I've seen some abuse entries in list like AbuseIPDB - but I'm sure that the whitelist is ok.
The logged acme challenges come from different servers and when the same challenge come from a letsencrypt server , too the whitelisting is ok.
So far only one entry could be false...
updated list:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
-
have to use those ips if blocking GEOIP ?
-
Use this ip list as an alias for a rule to allow these (pass) in an upper position
I've two aliases Letsencrypt_FDQN and Letsencrypt_Server for upmost pass-rules:
See attached screenshot..
Set a hook at the item "quick" in the rules you create.
This ensures that they will not be blocked by following rules.
I've blocked non-EU traffic and in this blocklist some of the LetsEncrypt servers are listed.
This was the cause that my acme scripts failed to renew ....
-
Thank you Thomas,
you have the rule on the top of the firewall WAN,
can show the rule? are allowing it to the WAN addres or to this firewall ?
why are you using two rules one with FQDN and IP ?
-
Hi Julien,
the LE-FDQN and LE-Servers are separated due to history:
First I introduced the FDQN and later saw, that more servers are involved...
This is the reason of my white list.
The images show the FDQN rule - the Servers rule is the same with the Server-Alias...
-
Thank you So Much Thomas,
i am using it too now, i'll monitor it, hopefully we will keep their IP updated.
much appreciate it and stay safe
-
i have been doing packet spoofing and found those FQDN who are used for validations and renew
acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org
IP will be changed each 3 month according to their policies.
-
Great - Thanks for sharing!
You can add to your list:
outbound1.letsencrypt.org
outbound2.letsencrypt.org
... these 6 entries are the content of my letsencrypt-FDQN - alias
-
You are welcome,
if i've found a new FQDN i'll add them
for now the latest updated list is.
outbound1.letsencrypt.org
outbound2.letsencrypt.org
acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org
-
Hi All - next update:
3.128.26.105
34.222.229.130
34.211.6.84
Yes, I know that Let's Encrypt does not recommend a whitelisting since their server IPs changes over time.
But some will need that because these LE servers often are blocked by GeoIP when used as a plein Europe
filter as in my case.
So I will try to update the below list when I notice firewall problems while updating my certificates...
The actual (2020-09-29) LE Server list is:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.128.26.105 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
-
Update:
3.120.130.29 ((Amazon Cloud & A100 ROW GmbH)
The actual (2021-05-21) LE Server list is:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.120.130.29 ((Amazon Cloud & A100 ROW GmbH)
3.128.26.105 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
-
new update:
3.122.178.200
18.184.114.154
The actual (2021-05-31) LE Server list is:
172.65.32.248 (Cloudflare)
18.184.114.154 (Amazon Cloud & A100 ROW GmbH)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.120.130.29 (Amazon Cloud & A100 ROW GmbH)
3.122.178.200 (Amazon Cloud & A100 ROW GmbH)
3.128.26.105 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
-
Hi all!
A big number of new IPs - maybe some older are inactive now.
Below you'll find the complete list...
Some are listed in abuseipdb.com, but I'm pretty sure they are correct.
New IPs:
18.116.86.117 (Amazon Cloud)
18.184.29.122 (Amazon Cloud & A100 ROW GmbH)
18.196.102.134 (Amazon Cloud & A100 ROW GmbH)
18.197.97.115 (Amazon Cloud & A100 ROW GmbH)
3.19.56.43 (Amazon Cloud)
3.142.122.14 (Amazon Cloud)
3.67.34.92 (Amazon Cloud & A100 ROW GmbH)
52.39.4.59 (Amazon Cloud)
54.189.22.122 (Amazon Cloud)
Complete list:
172.65.32.248 (Cloudflare)
18.116.86.117 (Amazon Cloud)
18.184.114.154 (Amazon Cloud & A100 ROW GmbH)
18.184.29.122 (Amazon Cloud & A100 ROW GmbH)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.196.102.134 (Amazon Cloud & A100 ROW GmbH)
18.197.97.115 (Amazon Cloud & A100 ROW GmbH)
18.222.145.89 (Amazon Cloud)
18.224.20.83 (Amazon Cloud)
18.236.228.243 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.19.56.43 (Amazon Cloud)
3.120.130.29 (Amazon Cloud & A100 ROW GmbH)
3.122.178.200 (Amazon Cloud & A100 ROW GmbH)
3.128.26.105 (Amazon Cloud)
3.142.122.14 (Amazon Cloud)
3.143.223.150 (Amazon Cloud)
3.67.34.92 (Amazon Cloud & A100 ROW GmbH)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
52.39.4.59 (Amazon Cloud)
54.189.22.122 (Amazon Cloud)
See the additional FQDN-List (https://forum.opnsense.org/index.php?topic=16108.msg84111#msg84111)
-
Thank you so much @astromeier.
Quite a list of ip numbers. The easiest way I found to add the full list, was to set all ip numbers in 1 line, separated by comma.
Then it's just a matter of clearing the list followed by copy pasting the line.
-
Hi Ypsilon!
Thank you for that hint!
I'll post my list in addition in your proposed format like this:
172.65.32.248,18.116.86.117,18.184.114.154,18.184.29.122,18.194.58.132,18.196.96.172,18.196.102.134,18.197.97.115,18.222.145.89,18.224.20.83,18.236.228.243,3.14.255.131,3.19.56.43,3.120.130.29,3.122.178.200,3.128.26.105,3.142.122.14,3.143.223.150,3.67.34.92,34.209.232.166,34.211.6.84,34.211.60.134,34.222.229.130,52.15.254.228,52.28.236.88,52.58.118.98,52.39.4.59,54.189.22.122
-
Dear all,
I'm not using Let's encrypt, but may it is better to open a Github Repo to store the URLs, IPs there to use URL Tables as Alias input?
br
-
Hi Mks - great idea!
I couldn't wait and realized it!
See my updated first post in this thread:
"The actual version you will find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt)
You can add an alias "URL table (IPs)" with this link."
The FQDN-List you'll find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt)
-
Even better, thanks.
I will keep an eye on the changes via my rss reader. I could ask for releases, but commits can be monitored just fine on github. :)
-
Hi Ypsilon
If you want opnsense to load the actual version automagically:
Add an alias with type "URL table (IPs)" with this github-link:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt)
and give a reload time periond like once a day....
In the whitelist-rule you just have to give the name of the alias and the rule is constantly up to date...
So you don't need to keep an eye on the changes...
-
I understand astromeier and already made the changes.
It's just that I want to monitor things that can change automatically on my firewall.
That's why I have also subscribed to the emergingthreats mailinglist so I keep an eye on that too.
-
is no need to use the FQDN rules anymores just the IP ?
-
Hi Julien,
since LE states that IP addresses can change over time I keep the known FQDN rules active "for safety".
You're right: this is a redundancy...
-
Updated;
FQDN-List you'll find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt)
-
Hi astromeier.
There are several new ip addresses, not yet included in your maintained list.
So I already created a github issue in your repo:
https://github.com/astromeier/LetsEncrypt_Serverlist/issues/2
Thanks if you add them to your list. For the moment I keep them in my own extra alias list, after witch the validation process went fine again.
-
Hi, i did a quick check and found at least 4 abusive IPs (checked with https://www.abuseipdb.com).
All residual addresses could be candidates - I'll check them the next weeks.
The IPs of A100 ROW are good candidates!
Please do the same and cross-check the HA-Proxy-Log for acme accesses with correct key (same as challenge)
Thanks for contribution!
-
Hi!
I could confirm 6 new IPs - the serverlist @ github is now up to date!
-
Thank you!
-
Some new addresses popped up the last days - Github is updated.
... seems that LE changed a number of the verification servers.
Same occured in June of the last year.....
-
There are still some IPs missing:
3.143.204.187
34.222.98.48
-
Thanks for contribution!
5 new addresses are noticed to me and I will check them.
Maybe these IP are dependent to the location of the verify request...
-
And another 3 to add:
54.245.176.12
3.136.27.87
3.73.52.92
-
Thanks!
IP are added....