So delegate the validation with a CNAME and do it somewhere that’s not cloudflare. They provide signing with their own CA for origin certificates so I don’t really know why you’re using Let’s Encrypt at all.
Your idea of just randomly blocking access from certain IP address ranges doesn’t really provide you with any security at all. If you’re worried about rusaian hackers or whatever, most people exploiting anything have access to botnets with whatever bespoke IP address ranges they need to bypass those sort of rules.
In anti fraud we see this commonly, people using stolen details will happily get better matches with GEOIP than the legitimate users of the credentials. Blocking specific countries IP allocations is just providing a false sense security on your part.
Even with CloudFlare in front of your servers, it is still valuable to use Let's Encrypt certificates. You can turn on Full Strict SSL validation to the backend and reduce another attack vector. It's an unlikely attack vector to be exploited but it's also a trivial amount of work to implement.
Every layer of security makes attacks that much more costly.
And if you always use Cloudflare (or at least are sure you'd have days-weeks not minutes-hours between making a decision to cease using Cloudflare and actually executing) then it's actually safer to tell them you'll use their Origin certs rather than a public CA as well as likely being easier.
If you own example.com, you can delegate to dnsauth.example.com for $0 (or simply the price of a Internet-facing machine that has DNS open).
Say you want a cert for www.example.com. LE will check for ownership by looking up _acme-challenge.www.example.com. Instead of having a TXT record with the nonce, _acme-challenge.www is actually a CNAME pointing to _acme-challenge.www.dnsauth--where the TXT nonce lives.
The DNS daemon that is authoritative for dnsauth can be the traditional BIND, or other software:
> I did not ask "how", I wished to know who supports a DNS service like that and for what price.
And as I stated in the very first sentence, it is self-serve:
> If you own example.com, you can delegate to dnsauth.example.com for $0 (or simply the price of a Internet-facing machine that has DNS open).
We do this at work: our main registrar does not have a restricted API, so we have a sub-domain that lives on a DNS server in our DMZ. Internal ACME clients update the desired TXT records when asking LE for a cert.
The cost is the price for keeping a VM running and updated, which for us is minimal since it is on our private cloud.
The parent stated that you can run your own DNS server temporarily for the cost of the hardware to run the server and shut the DNS server off after the certificate has been issued. The cost is basically free.
Your idea of just randomly blocking access from certain IP address ranges doesn’t really provide you with any security at all. If you’re worried about rusaian hackers or whatever, most people exploiting anything have access to botnets with whatever bespoke IP address ranges they need to bypass those sort of rules.
In anti fraud we see this commonly, people using stolen details will happily get better matches with GEOIP than the legitimate users of the credentials. Blocking specific countries IP allocations is just providing a false sense security on your part.