LetsEncrypt - Whitelist

Started by astromeier, March 02, 2020, 10:56:53 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
March 02, 2020, 10:56:53 PM Last Edit: June 28, 2021, 10:07:55 PM by astromeier
The actual version you will find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_Server_list.txt
You can add an alias "URL table (IPs)" with this link.

The FQDN-List you'll find here:
https://raw.githubusercontent.com/astromeier/LetsEncrypt_Serverlist/main/LetsEncrypt_FQDN_list.txt


After having Problems with renewals of certificates I introduced this IP-Whitelist for LetsEncrypt Servers:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )

The IPs from cloud services can change over time...

If you have IPs to add feel free....
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
April 27, 2020, 08:42:53 PM #1
add:
18.196.96.172 (amazon Cloud & A100 ROW GmbH)

updated List:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
June 04, 2020, 09:51:54 PM #2
52.28.236.88 (Amazon Cloud & A100 ROW GmbH) is proven NOT FALSE

I've seen some abuse entries in list like AbuseIPDB - but I'm sure that the whitelist is ok.
The logged acme challenges come from different servers and when the same challenge come from a letsencrypt server , too the whitelisting is ok.
So far only one entry could be false...

updated list:
172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
June 05, 2020, 04:41:22 PM #3
have to use those ips if blocking GEOIP ?
DEC4240 – OPNsense Owner
June 06, 2020, 09:56:51 PM #4 Last Edit: June 06, 2020, 10:02:25 PM by astromeier
Use this ip list as an alias for a rule to allow these (pass) in an upper position
I've two aliases Letsencrypt_FDQN and Letsencrypt_Server for upmost pass-rules:
See attached screenshot..
Set a hook at the item "quick" in the rules you create.
This ensures that they will not be blocked by following rules.

I've blocked non-EU traffic and in this blocklist some of the LetsEncrypt servers are listed.
This was the cause that my acme scripts failed to renew ....
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
June 08, 2020, 08:57:07 PM #5 Last Edit: June 08, 2020, 08:59:10 PM by Julien
Thank you Thomas,
you have the rule on the top of the firewall WAN,
can show the rule? are allowing it to the WAN addres or to this firewall  ?
why are you using two rules one with FQDN and IP ?


DEC4240 – OPNsense Owner
June 11, 2020, 08:52:23 PM #6
Hi Julien,
the LE-FDQN and LE-Servers are separated due to history:
First I introduced the FDQN and later saw, that more servers are involved...
This is the reason of my white list.
The images show the FDQN rule - the Servers rule is the same with the Server-Alias...
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
June 17, 2020, 01:18:59 PM #7
Thank you So Much Thomas,
i am using it too now, i'll monitor it, hopefully we will keep their IP updated.
much appreciate it and stay safe
DEC4240 – OPNsense Owner
August 04, 2020, 01:43:38 AM #8
i have been doing packet spoofing and found those FQDN who are used for validations and renew

acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org

IP will be changed each 3 month according to their policies.
DEC4240 – OPNsense Owner
August 04, 2020, 04:49:06 PM #9 Last Edit: August 04, 2020, 05:12:02 PM by astromeier
Great - Thanks for sharing!
You can add to your list:

outbound1.letsencrypt.org
outbound2.letsencrypt.org

... these 6 entries are the content of my letsencrypt-FDQN - alias
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
August 07, 2020, 02:32:52 AM #10
You are welcome,
if i've found a new FQDN i'll add them
for now the latest updated list is.

Code Select
outbound1.letsencrypt.org
outbound2.letsencrypt.org
acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org
DEC4240 – OPNsense Owner
September 29, 2020, 09:56:59 PM #11
Hi All - next update:

3.128.26.105
34.222.229.130
34.211.6.84

Yes, I know that Let's Encrypt does not recommend a whitelisting since their server IPs changes over time.
But some will need that because these LE servers often are blocked by GeoIP when used as a plein Europe
filter as in my case.

So I will try to update the below list when I notice firewall problems while updating my certificates...

The actual (2020-09-29) LE Server list is:

172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.128.26.105 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
May 21, 2021, 07:52:38 PM #12
Update:
3.120.130.29 ((Amazon Cloud & A100 ROW GmbH)

The actual (2021-05-21) LE Server list is:

172.65.32.248 (Cloudflare)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.120.130.29 ((Amazon Cloud & A100 ROW GmbH)
3.128.26.105 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
May 31, 2021, 11:28:06 PM #13
new update:
3.122.178.200
18.184.114.154

The actual (2021-05-31) LE Server list is:

172.65.32.248 (Cloudflare)
18.184.114.154 (Amazon Cloud & A100 ROW GmbH)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.224.20.83 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.120.130.29 (Amazon Cloud & A100 ROW GmbH)
3.122.178.200 (Amazon Cloud & A100 ROW GmbH)
3.128.26.105 (Amazon Cloud)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
64.78.149.164 (outbound2.letsencrypt.org )
66.133.109.36 (outbound1.letsencrypt.org )
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
June 12, 2021, 12:29:44 PM #14 Last Edit: June 12, 2021, 12:56:09 PM by astromeier
Hi all!
A big number of new IPs - maybe some older are inactive now.
Below you'll find the complete list...
Some are listed in abuseipdb.com, but I'm pretty sure they are correct.

New IPs:
18.116.86.117 (Amazon Cloud)
18.184.29.122 (Amazon Cloud & A100 ROW GmbH)
18.196.102.134 (Amazon Cloud & A100 ROW GmbH)
18.197.97.115  (Amazon Cloud & A100 ROW GmbH)
3.19.56.43 (Amazon Cloud)
3.142.122.14 (Amazon Cloud)
3.67.34.92 (Amazon Cloud & A100 ROW GmbH)
52.39.4.59 (Amazon Cloud)
54.189.22.122 (Amazon Cloud)

Complete list:
172.65.32.248 (Cloudflare)
18.116.86.117 (Amazon Cloud)
18.184.114.154 (Amazon Cloud & A100 ROW GmbH)
18.184.29.122 (Amazon Cloud & A100 ROW GmbH)
18.194.58.132 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
18.196.96.172 (Amazon Cloud & A100 ROW GmbH)
18.196.102.134 (Amazon Cloud & A100 ROW GmbH)
18.197.97.115  (Amazon Cloud & A100 ROW GmbH)
18.222.145.89 (Amazon Cloud)
18.224.20.83 (Amazon Cloud)
18.236.228.243 (Amazon Cloud)
3.14.255.131 (Amazon Cloud)
3.19.56.43 (Amazon Cloud)
3.120.130.29 (Amazon Cloud & A100 ROW GmbH)
3.122.178.200 (Amazon Cloud & A100 ROW GmbH)
3.128.26.105 (Amazon Cloud)
3.142.122.14 (Amazon Cloud)
3.143.223.150 (Amazon Cloud)
3.67.34.92 (Amazon Cloud & A100 ROW GmbH)
34.209.232.166 (Amazon Cloud)
34.211.6.84 (Amazon Cloud)
34.211.60.134 (Amazon Cloud)
34.222.229.130 (Amazon Cloud)
52.15.254.228 (Amazon Cloud)
52.28.236.88 (Amazon Cloud & A100 ROW GmbH , maybe FALSE)
52.58.118.98 (Amazon Cloud)
52.39.4.59 (Amazon Cloud)
54.189.22.122 (Amazon Cloud)

See the additional FQDN-List
Stay secure!
Thomas

OPNsense 22.x / Qotom Q370G4 ram8G ssd256G
Print
Go Up Pages1 2 3
User actions