Text only | Text with Images

OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: astromeier on March 02, 2020, 10:56:53 PM

Title: LetsEncrypt - Whitelist
Post by: astromeier on March 02, 2020, 10:56:53 PM
The actual version you will find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt)
You can add an alias "URL table (IPs)" with this link.

The FQDN-List you'll find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt)


After having Problems with renewals of certificates I introduced this IP-Whitelist for LetsEncrypt Servers:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )

The IPs from cloud services can change over time...

If you have IPs to add feel free....
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on April 27, 2020, 08:42:53 PM
add:
18.196.96.172 (amazon Cloud & A100 ROW GmbH)

updated List:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on June 04, 2020, 09:51:54 PM
52.28.236.88 (Amazon Cloud & A100 ROW GmbH) is proven NOT FALSE

I've seen some abuse entries in list like AbuseIPDB - but I'm sure that the whitelist is ok.
The logged acme challenges come from different servers and when the same challenge come from a letsencrypt server , too the whitelisting is ok.
So far only one entry could be false...

updated list:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Title: Re: LetsEncrypt - Whitelist
Post by: Julien on June 05, 2020, 04:41:22 PM
have to use those ips if blocking GEOIP ?
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on June 06, 2020, 09:56:51 PM
Use this ip list as an alias for a rule to allow these (pass) in an upper position
I've two aliases Letsencrypt_FDQN and Letsencrypt_Server for upmost pass-rules:
See attached screenshot..
Set a hook at the item "quick" in the rules you create.
This ensures that they will not be blocked by following rules.

I've blocked non-EU traffic and in this blocklist some of the LetsEncrypt servers are listed.
This was the cause that my acme scripts failed to renew ....
Title: Re: LetsEncrypt - Whitelist
Post by: Julien on June 08, 2020, 08:57:07 PM
Thank you Thomas,
you have the rule on the top of the firewall WAN,
can show the rule? are allowing it to the WAN addres or to this firewall  ?
why are you using two rules one with FQDN and IP ?


Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on June 11, 2020, 08:52:23 PM
Hi Julien,
the LE-FDQN and LE-Servers are separated due to history:
First I introduced the FDQN and later saw, that more servers are involved...
This is the reason of my white list.
The images show the FDQN rule - the Servers rule is the same with the Server-Alias...
Title: Re: LetsEncrypt - Whitelist
Post by: Julien on June 17, 2020, 01:18:59 PM
Thank you So Much Thomas,
i am using it too now, i'll monitor it, hopefully we will keep their IP updated.
much appreciate it and stay safe
Title: Re: LetsEncrypt - Whitelist
Post by: Julien on August 04, 2020, 01:43:38 AM
i have been doing packet spoofing and found those FQDN who are used for validations and renew

acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org

IP will be changed each 3 month according to their policies.
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on August 04, 2020, 04:49:06 PM
Great - Thanks for sharing!
You can add to your list:

outbound1.letsencrypt.org
outbound2.letsencrypt.org

... these 6 entries are the content of my letsencrypt-FDQN - alias
Title: Re: LetsEncrypt - Whitelist
Post by: Julien on August 07, 2020, 02:32:52 AM
You are welcome,
if i've found a new FQDN i'll add them
for now the latest updated list is.

Code Select
outbound1.letsencrypt.org
outbound2.letsencrypt.org
acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on September 29, 2020, 09:56:59 PM
Hi All - next update:

3.128.26.105
34.222.229.130
34.211.6.84

Yes, I know that Let's Encrypt does not recommend a whitelisting since their server IPs changes over time.
But some will need that because these LE servers often are blocked by GeoIP when used as a plein Europe
filter as in my case.

So I will try to update the below list when I notice firewall problems while updating my certificates...

The actual (2020-09-29) LE Server list is:

172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.128.26.105 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on May 21, 2021, 07:52:38 PM
Update:
3.120.130.29 ((Amazon Cloud & A100 ROW GmbH)

The actual (2021-05-21) LE Server list is:

172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.120.130.29 ((Amazon Cloud & A100 ROW GmbH)
3.128.26.105 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on May 31, 2021, 11:28:06 PM
new update:
3.122.178.200
18.184.114.154

The actual (2021-05-31) LE Server list is:

172.65.32.248 (Cloudflare)
18.184.114.154 (Amazon Cloud & A100 ROW GmbH)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.120.130.29 (Amazon Cloud & A100 ROW GmbH)
3.122.178.200 (Amazon Cloud & A100 ROW GmbH)
3.128.26.105 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Title: Update 2021-06-12: LetsEncrypt - Whitelist
Post by: astromeier on June 12, 2021, 12:29:44 PM
Hi all!
A big number of new IPs - maybe some older are inactive now.
Below you'll find the complete list...
Some are listed in abuseipdb.com, but I'm pretty sure they are correct.

New IPs:
18.116.86.117 (Amazon Cloud)
18.184.29.122 (Amazon Cloud & A100 ROW GmbH)
18.196.102.134 (Amazon Cloud & A100 ROW GmbH)
18.197.97.115  (Amazon Cloud & A100 ROW GmbH)
3.19.56.43 (Amazon Cloud)
3.142.122.14 (Amazon Cloud)
3.67.34.92 (Amazon Cloud & A100 ROW GmbH)
52.39.4.59 (Amazon Cloud)
54.189.22.122 (Amazon Cloud)

Complete list:
172.65.32.248 (Cloudflare)
18.116.86.117 (Amazon Cloud)
18.184.114.154 (Amazon Cloud & A100 ROW GmbH)
18.184.29.122 (Amazon Cloud & A100 ROW GmbH)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.196.102.134 (Amazon Cloud & A100 ROW GmbH)
18.197.97.115  (Amazon Cloud & A100 ROW GmbH)
18.222.145.89 (Amazon Cloud)
18.224.20.83 (Amazon Cloud)
18.236.228.243 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.19.56.43 (Amazon Cloud)
3.120.130.29 (Amazon Cloud & A100 ROW GmbH)
3.122.178.200 (Amazon Cloud & A100 ROW GmbH)
3.128.26.105 (Amazon Cloud)
3.142.122.14 (Amazon Cloud)
3.143.223.150 (Amazon Cloud)
3.67.34.92 (Amazon Cloud & A100 ROW GmbH)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
52.39.4.59 (Amazon Cloud)
54.189.22.122 (Amazon Cloud)

See the additional FQDN-List (https://forum.opnsense.org/index.php?topic=16108.msg84111#msg84111)
Title: Re: LetsEncrypt - Whitelist
Post by: Ypsilon on June 27, 2021, 11:13:53 AM
Thank you so much @astromeier.
Quite a list of ip numbers. The easiest way I found to add the full list, was to set all ip numbers in 1 line, separated by comma.
Then it's just a matter of clearing the list followed by copy pasting the line.
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on June 27, 2021, 08:11:57 PM
Hi Ypsilon!
Thank you for that hint!
I'll post my list in addition in your proposed format like this:
Code Select
172.65.32.248,18.116.86.117,18.184.114.154,18.184.29.122,18.194.58.132,18.196.96.172,18.196.102.134,18.197.97.115,18.222.145.89,18.224.20.83,18.236.228.243,3.14.255.131,3.19.56.43,3.120.130.29,3.122.178.200,3.128.26.105,3.142.122.14,3.143.223.150,3.67.34.92,34.209.232.166,34.211.6.84,34.211.60.134,34.222.229.130,52.15.254.228,52.28.236.88,52.58.118.98,52.39.4.59,54.189.22.122
Title: Re: LetsEncrypt - Whitelist
Post by: Mks on June 28, 2021, 07:00:16 AM
Dear all,

I'm not using Let's encrypt, but may it is better to open a Github Repo to store the URLs, IPs there to use URL Tables as Alias input?
br
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on June 28, 2021, 10:04:58 PM
Hi Mks - great idea!
I couldn't wait and realized it!
See my updated first post in this thread:

"The actual version you will find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt)
You can add an alias "URL table (IPs)" with this link."

The FQDN-List you'll find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt)
Title: Re: LetsEncrypt - Whitelist
Post by: Ypsilon on June 28, 2021, 10:22:28 PM
Even better, thanks.
I will keep an eye on the changes via my rss reader. I could ask for releases, but commits can be monitored just fine on github. :)
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on June 28, 2021, 10:42:50 PM
Hi Ypsilon
If you want opnsense to load the actual version automagically:
Add an alias with type "URL table (IPs)" with this github-link:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt)
and give a reload time periond like once a day....

In the whitelist-rule you just have to give the name of the alias and the rule is constantly up to date...

So you don't need to keep an eye on the changes...
Title: Re: LetsEncrypt - Whitelist
Post by: Ypsilon on June 28, 2021, 11:10:48 PM
I understand astromeier and already made the changes.
It's just that I want to monitor things that can change automatically on my firewall.
That's why I have also subscribed to the emergingthreats mailinglist so I keep an eye on that too.
Title: Re: LetsEncrypt - Whitelist
Post by: Julien on July 18, 2021, 10:47:48 PM
is no need to use the FQDN rules anymores just the IP ?
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on July 19, 2021, 11:28:34 AM
Hi Julien,
since LE states that IP addresses can change over time I keep the known FQDN rules active "for safety".
You're right: this is a redundancy...
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on September 15, 2021, 09:08:22 PM
Updated;
FQDN-List you'll find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt (https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt)
Title: Re: LetsEncrypt - Whitelist
Post by: Ypsilon on April 18, 2022, 10:14:50 PM
Hi astromeier.
There are several new ip addresses, not yet included in your maintained list.
So I already created a github issue in your repo:
https://github.com/astromeier/LetsEncrypt_Serverlist/issues/2

Thanks if you add them to your list. For the moment I keep them in my own extra alias list, after witch the validation process went fine again.
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on April 18, 2022, 10:43:13 PM
Hi, i did a quick check and found at least 4 abusive IPs (checked with https://www.abuseipdb.com).
All residual addresses could be candidates - I'll check them the next weeks.

The IPs of A100 ROW are good candidates!

Please do the same and cross-check the HA-Proxy-Log for acme accesses with correct key (same as challenge)
Thanks for contribution!
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on April 20, 2022, 12:05:33 PM
Hi!
I could confirm 6 new IPs - the serverlist @ github is now up to date!
Title: Re: LetsEncrypt - Whitelist
Post by: Ypsilon on April 20, 2022, 12:13:11 PM
Thank you!
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on June 28, 2022, 10:33:25 PM
Some new addresses popped up the last days - Github is updated.
... seems that LE changed a number of the verification servers.

Same occured in June of the last year.....
Title: Re: LetsEncrypt - Whitelist
Post by: ohne on July 01, 2022, 05:29:18 PM
There are still some IPs missing:
3.143.204.187
34.222.98.48
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on July 02, 2022, 10:37:19 AM
Thanks for contribution!
5 new addresses are noticed to me and I will check them.

Maybe these IP are dependent to the location of the verify request...
Title: Re: LetsEncrypt - Whitelist
Post by: Ypsilon on September 18, 2022, 11:34:01 PM
And another 3 to add:
54.245.176.12
3.136.27.87
3.73.52.92
Title: Re: LetsEncrypt - Whitelist
Post by: astromeier on September 19, 2022, 11:58:28 AM
Thanks!
IP are added....
Title: Re: LetsEncrypt - Whitelist
Post by: axlemoxle on March 05, 2025, 04:51:58 PM
I think that works not any more ??

Title: Re: LetsEncrypt - Whitelist
Post by: meyergru on March 05, 2025, 07:01:08 PM
No, it does not. But you do not need access from those servers if you let your DNS domains be hosted somewhere else and use DNS-01 verification, because the inbound connection from LetsEncrypt does not touch your server then.
Text only | Text with Images