ファイアウォールでアクセス制限しているウェブサイトですが、ドメイン認証のためにIPアドレスを許可する必要があるが、どのIPアドレスを許可すればよいのだろうか。
Let’s Encrypt がACMEを利用したドメイン認証時に使用するIPアドレスは、動的に変化している。
公式ホームページのQ&A
Let’s EncryptはWebサーバーを検証するためにどのIPアドレスを使用しますか?
Let’s EncryptはWebサーバーを検証するためにどのIPアドレスを使用しますか?私たちが検証に使用している IP アドレスリストは公開していません。また、この IP アドレスはいつでも変更する可能性があります。また、一度に複数の IP アドレスを利用して検証するようになる予定です。詳しくはこの記事を読んでください。
https://letsencrypt.org/ja/docs/faq/
IPアドレス一覧
今後、使用するIPアドレスが追加された場合、新たに許可リストへ追加する必要がある。
Webサーバーが TCP Port 80 への接続を受け入れる必要がある。
現時点で以下のIPアドレスを許可することにより、認証ができていることを確認できている。
【2023/03/30時点に通信が確認されたIPアドレス】
3.138.184.165
3.145.152.17
23.178.112.102
23.178.112.106
23.178.112.107
35.86.168.8
54.200.130.18
【2022/11/06時点に通信が確認されたIPアドレス】
18.217.198.241
23.178.112.209
23.178.112.208
34.221.143.127
【2022/09/08以前に通信が確認されたIPアドレス】
3.19.56.43
3.69.24.161
3.73.159.42
3.74.164.89
3.120.130.29
3.124.187.251
3.134.86.26
3.142.122.14
3.144.218.183
3.145.96.244
3.145.191.206
18.116.86.117
18.159.196.172
18.192.23.35
18.192.36.99
18.225.32.50
18.236.144.238
23.178.112.102
23.178.112.106
34.219.87.132
34.211.11.88
34.221.255.206
35.163.64.218
52.39.4.59
54.191.192.47
54.213.229.162
64.78.149.164
66.133.109.36
79.110.62.213
211.18.252.185
2022/09/08 利用時のIP
3.134.86.26
3.74.164.89
23.178.112.106
23.178.112.102
54.213.229.162
その時のログ
[root@webserver httpd]# cat /var/log/httpd/access_log
54.213.229.162 - - [08/Sep/2022:06:55:15 +0900] "GET /.well-known/acme-challenge/dYdq2-6ZZNtyc8WZdDfEKb3-jGAF2PQUsD_C9wwC0Dg HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.134.86.26 - - [08/Sep/2022:06:55:15 +0900] "GET /.well-known/acme-challenge/dYdq2-6ZZNtyc8WZdDfEKb3-jGAF2PQUsD_C9wwC0Dg HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.74.164.89 - - [08/Sep/2022:06:55:15 +0900] "GET /.well-known/acme-challenge/dYdq2-6ZZNtyc8WZdDfEKb3-jGAF2PQUsD_C9wwC0Dg HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.106 - - [08/Sep/2022:06:55:15 +0900] "GET /.well-known/acme-challenge/dYdq2-6ZZNtyc8WZdDfEKb3-jGAF2PQUsD_C9wwC0Dg HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.102 - - [08/Sep/2022:06:55:15 +0900] "GET /.well-known/acme-challenge/7ZbszQCByP30PWPB1FyosatlhgYsWc-CTGp_fywPsVs HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.74.164.89 - - [08/Sep/2022:06:55:15 +0900] "GET /.well-known/acme-challenge/7ZbszQCByP30PWPB1FyosatlhgYsWc-CTGp_fywPsVs HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
54.213.229.162 - - [08/Sep/2022:06:55:16 +0900] "GET /.well-known/acme-challenge/7ZbszQCByP30PWPB1FyosatlhgYsWc-CTGp_fywPsVs HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.134.86.26 - - [08/Sep/2022:06:55:16 +0900] "GET /.well-known/acme-challenge/7ZbszQCByP30PWPB1FyosatlhgYsWc-CTGp_fywPsVs HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
別のIPアドレスに変更され証明書発行に失敗した場合
1.一度、ファイアウォールでHTTP(80)の通信をすべて許可。
2.アクセスログで認証に使われているIPアドレスを「Apacheのaccess_log」等から調べる。
3.ファイアウォール設定に認証で使われたIPアドレスを追加し、「HTTP(80)の通信をすべて許可」から「指定したIPだけを許可」に変更。
4.証明書発行コマンドを実行。(証明書の強制発行後、Apacheの再起動で証明書を適用)
以下コマンドで、強制的に週5枚まで証明書発行可能だが、一度、認証が行われた後は、ある一定の日数(1か月)が経過しない限り、ドメイン認証されない。(一度行ったドメイン認証が有効である期間は、毎回、ドメイン認証されない)
最大発行枚数などについて記載されている「レート制限」についてはこちら。
certbot-auto renew --force-renew --webroot -w /var/www/html/
systemctl restart httpd
Apacheのaccess_logの例
66.133.109.36 - - [25/Apr/2022:10:03:46 +0900] "GET /.well-known/acme-challenge/jjKlLKlayRzxHbcg4N0ax_1A6RUkzL0kK1JXtqJf4OQ HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [25/Apr/2022:10:03:47 +0900] "GET /.well-known/acme-challenge/nJXYHqfp2YJ4SMGAFEkHhfv7gyVm2hE-PtZal0DeJwo HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [26/Apr/2022:10:00:35 +0900] "GET /.well-known/acme-challenge/gxtCGKhJ-7vDsw3XWxsfNgNW2X0N2xR118AbgSn7DBQ HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [26/Apr/2022:10:00:35 +0900] "GET /.well-known/acme-challenge/UwthxT6hXli4mJYv-K5ytE85l9tZCA7YbOztIGxyc2A HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [27/Apr/2022:10:00:37 +0900] "GET /.well-known/acme-challenge/pbQ9tocCBkgb_hFaP5rHkP96FoPDIsWMfdd7qp7N0ds HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [27/Apr/2022:10:00:37 +0900] "GET /.well-known/acme-challenge/0xsGjTrDjYeV9o9grlu_gKX4RFdkbH5q4cpO2Q1GzH0 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [28/Apr/2022:10:04:26 +0900] "GET /.well-known/acme-challenge/joSSsJyS2AOBmlfRmW2rn7f-45iymGPap2Vobn8Ok4M HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [28/Apr/2022:10:04:26 +0900] "GET /.well-known/acme-challenge/Gb-5gp3EyipOmTJwtov1tIhmLc8uiODOO06mrqaoAJ8 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [28/Apr/2022:14:17:05 +0900] "GET /.well-known/acme-challenge/_pb9cKA2tzQdw_p-isIS1vyvY-pYlDqZQ6CF5uTzkUQ HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [28/Apr/2022:14:17:06 +0900] "GET /.well-known/acme-challenge/NlJLhjWSxIAZ2Xn_u0We8Nvp24Uy27xErSSi2w38AKw HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.211.11.88 - - [28/Apr/2022:14:21:47 +0900] "GET /.well-known/acme-challenge/jtb_Bg1r3P73W3DYuVyRD3bc6E-_oNTAcN3rgTXaAe4 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
54.191.192.47 - - [28/Apr/2022:14:21:47 +0900] "GET /.well-known/acme-challenge/qSETkW9wBL35WA2VJp-cDSuaaX-tz_1fDkyMPaCCJ5E HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.225.32.50 - - [28/Apr/2022:14:21:47 +0900] "GET /.well-known/acme-challenge/jtb_Bg1r3P73W3DYuVyRD3bc6E-_oNTAcN3rgTXaAe4 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.192.23.35 - - [28/Apr/2022:14:21:47 +0900] "GET /.well-known/acme-challenge/qSETkW9wBL35WA2VJp-cDSuaaX-tz_1fDkyMPaCCJ5E HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.73.159.42 - - [28/Apr/2022:14:21:47 +0900] "GET /.well-known/acme-challenge/jtb_Bg1r3P73W3DYuVyRD3bc6E-_oNTAcN3rgTXaAe4 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.144.218.183 - - [28/Apr/2022:14:21:47 +0900] "GET /.well-known/acme-challenge/qSETkW9wBL35WA2VJp-cDSuaaX-tz_1fDkyMPaCCJ5E HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [28/Apr/2022:14:21:47 +0900] "GET /.well-known/acme-challenge/qSETkW9wBL35WA2VJp-cDSuaaX-tz_1fDkyMPaCCJ5E HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [28/Apr/2022:14:21:50 +0900] "GET /.well-known/acme-challenge/jtb_Bg1r3P73W3DYuVyRD3bc6E-_oNTAcN3rgTXaAe4 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"