LetsEncrypt - Whitelist

[Ypsilon]

Thank you so much @astromeier.
Quite a list of ip numbers. The easiest way I found to add the full list, was to set all ip numbers in 1 line, separated by comma.
Then it's just a matter of clearing the list followed by copy pasting the line.

[astromeier]

Hi Ypsilon!
Thank you for that hint!
I'll post my list in addition in your proposed format like this:

Code Select Expand

172.65.32.248,18.116.86.117,18.184.114.154,18.184.29.122,18.194.58.132,18.196.96.172,18.196.102.134,18.197.97.115,18.222.145.89,18.224.20.83,18.236.228.243,3.14.255.131,3.19.56.43,3.120.130.29,3.122.178.200,3.128.26.105,3.142.122.14,3.143.223.150,3.67.34.92,34.209.232.166,34.211.6.84,34.211.60.134,34.222.229.130,52.15.254.228,52.28.236.88,52.58.118.98,52.39.4.59,54.189.22.122

[Mks]

Dear all,

I'm not using Let's encrypt, but may it is better to open a Github Repo to store the URLs, IPs there to use URL Tables as Alias input?
br

[astromeier]

Hi Mks - great idea!
I couldn't wait and realized it!
See my updated first post in this thread:

"The actual version you will find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt
You can add an alias "URL table (IPs)" with this link."

The FQDN-List you'll find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt

[Ypsilon]

Even better, thanks.
I will keep an eye on the changes via my rss reader. I could ask for releases, but commits can be monitored just fine on github. :)

[astromeier]

Hi Ypsilon
If you want opnsense to load the actual version automagically:
Add an alias with type "URL table (IPs)" with this github-link:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt
and give a reload time periond like once a day....

In the whitelist-rule you just have to give the name of the alias and the rule is constantly up to date...

So you don't need to keep an eye on the changes...

[Ypsilon]

I understand astromeier and already made the changes.
It's just that I want to monitor things that can change automatically on my firewall.
That's why I have also subscribed to the emergingthreats mailinglist so I keep an eye on that too.

[Julien]

is no need to use the FQDN rules anymores just the IP ?

[astromeier]

Hi Julien,
since LE states that IP addresses can change over time I keep the known FQDN rules active "for safety".
You're right: this is a redundancy...

[astromeier]

Updated;
FQDN-List you'll find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt

[Ypsilon]

Hi astromeier.
There are several new ip addresses, not yet included in your maintained list.
So I already created a github issue in your repo:
https://github.com/astromeier/LetsEncrypt_Serverlist/issues/2

Thanks if you add them to your list. For the moment I keep them in my own extra alias list, after witch the validation process went fine again.

[astromeier]

Hi, i did a quick check and found at least 4 abusive IPs (checked with https://www.abuseipdb.com).
All residual addresses could be candidates - I'll check them the next weeks.

The IPs of A100 ROW are good candidates!

Please do the same and cross-check the HA-Proxy-Log for acme accesses with correct key (same as challenge)
Thanks for contribution!

[astromeier]

Hi!
I could confirm 6 new IPs - the serverlist @ github is now up to date!

[Ypsilon]

Thank you!

[astromeier]

Some new addresses popped up the last days - Github is updated.
... seems that LE changed a number of the verification servers.

Same occured in June of the last year.....