i prefer to have strict DROP policy for the outgoing traffic from production servers. let’s encrypt API endpoint is behind Akamai’s CDN and IP address to which acme-v02.api.letsencrypt.org resolves changes frequently. i don’t like playing whack-a-mole every 3 months so i’ve:
- set up a squid-based proxy server that allows for filtering based on domain names: /etc/squid/squid.conf
acl src_web2 src 220.127.116.11 # ip of the web server with let's encrypt certbot acl dst_letsencryptacmeapi dstdomain acme-v01.api.letsencrypt.org acl dst_letsencryptacmeapi dstdomain acme-staging-v02.api.letsencrypt.org acl dst_letsencryptacmeapi dstdomain acme-v02.api.letsencrypt.org http_access allow src_web2 dst_letsencryptacmeapi http_access deny src_web2
- told let’s encrypt to use a proxy server
by creating /etc/systemd/system/certbot.service.d/env-proxy.conf with:
[Service] # that's the address of proxy server Environment="HTTPS_PROXY=http://18.104.22.168:3128"
and running: systemctl daemon-reload