Let’s Encrypt IP Addresses Used for Validation
I have servers that use Let's Encrypt certs. I would like to create a proxy policy that will handle only challenge type requests as needed and forward all other HTTP requests to HTTPS.
Is this possible and if so what would the configuration look like?
0
Sign In to comment.
Comments
Hi @NetworkWise
We can do SSL Offloading to push SSL traffic to an HTTP server, but I'm not sure this can be done the other way around. If this were possible, traffic would only be encrypted between the firewall and the server on your network. Most web browsers throw warnings for traffic transported to them via HTTP.
I'd suggest an HTTP proxy for your challenge requests (going to your specific servers) and an HTTPS proxy for your normal traffic if possible.
-James Carson
WatchGuard Customer Support
Thanks @james.carson I'll try specifying the fqdn for Lets encrypt and see if that works. The official stance is that Let's Encrypt will not publish validation IP addresses due to their policy and security considerations.