• GoDaddy Community
  • SSL And Security

    • SSL And Security

    cancel
    Turn on suggestions
    Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
    Showing results for 
    Show  only  | Search instead for 
    Did you mean: 
    Go to solution
    RA12
    New
    ‎03-10-2020 08:54 AM
    ‎03-10-2020 08:54 AM

    GoDaddy SSL Validation server IP address list

    Can anyone share a list of GoDaddy SSL Validation server IP addresses.

     

    I've asked their technical support department but they don't seem to know.

     

    This was the list 2 years ago (below) but it looks like the endpoint IP's are all different now.

     

    Can anyone help please? Thanks.

     

    Service

    DNS Hostnames

    Destination IPs

    Port

    CRL

    crl.godaddy.com
    certificates.godaddy.com
    crl.starfieldtech.com
    certificates.starfieldtech.com

    72.167.18.237
    72.167.18.238
    72.167.239.237
    72.167.239.238
    188.121.36.237
    188.121.36.238
    182.50.136.237
    182.50.136.238
    50.63.243.228
    50.63.243.229

    tcp/80

    OCSP

    ocsp.godaddy.com
    ocsp.starfieldtech.com

    72.167.18.239
    72.167.239.239
    188.121.36.239
    182.50.136.239
    50.63.243.230

    tcp/80

    Reply
    1 ACCEPTED SOLUTION
    dc352
    Resolver III
    ‎03-10-2020 09:18 AM
    ‎03-10-2020 09:18 AM

    Hi,

     

    Firstly, I'm not at all sure it's a good idea to use IP addresses instead of domain names. CRLs as well as OCSP responses are digitally signed and the content ensures freshness.

     

    Nevertheless, you may find these links useful:

    https://dnschecker.org/#A/crl.godaddy.com

    https://dnschecker.org/#A/certificates.godaddy.com

    https://dnschecker.org/#A/crl.starfieldtech.com

    https://dnschecker.org/#A/certificates.starfieldtech.com

     

    https://dnschecker.org/#A/ocsp.godaddy.com

    https://dnschecker.org/#A/ocsp.starfieldtech.com

     

    No IPv6 as far as I can see.

     

    Dan

     

    ———

    I've worked around (not only) SSL security for over 20 years in enterprises and startups. 

    I am now running an HTTPS expiry management service KeyChest.net

     

    View solution in original post

    Reply
    4 REPLIES 4
    dc352
    Resolver III
    ‎03-10-2020 09:18 AM
    ‎03-10-2020 09:18 AM

    Hi,

     

    Firstly, I'm not at all sure it's a good idea to use IP addresses instead of domain names. CRLs as well as OCSP responses are digitally signed and the content ensures freshness.

     

    Nevertheless, you may find these links useful:

    https://dnschecker.org/#A/crl.godaddy.com

    https://dnschecker.org/#A/certificates.godaddy.com

    https://dnschecker.org/#A/crl.starfieldtech.com

    https://dnschecker.org/#A/certificates.starfieldtech.com

     

    https://dnschecker.org/#A/ocsp.godaddy.com

    https://dnschecker.org/#A/ocsp.starfieldtech.com

     

    No IPv6 as far as I can see.

     

    Dan

     

    ———

    I've worked around (not only) SSL security for over 20 years in enterprises and startups. 

    I am now running an HTTPS expiry management service KeyChest.net

     

    View solution in original post

    Reply
    RA12
    New
    In response to dc352
    ‎03-10-2020 09:44 AM
    ‎03-10-2020 09:44 AM

    Hi Dan, many thanks that pretty much confirms what we have discovered so far.

    Reply
    assafefrat
    New
    ‎04-03-2020 08:03 AM
    ‎04-03-2020 08:03 AM

    This may be a strange question, but, why does godaddy use port 80 for this type of traffic?

     

    I work for a company where we need to open FW rules and am being asked why this traffic is not encrypted. Any help in explaining this would be appreciated. 

    0 Kudos
    Reply
    dc352
    Resolver III
    In response to assafefrat
    ‎04-03-2020 02:28 PM
    ‎04-03-2020 02:28 PM

    Hi,

     

    [I misunderstood the question and thought it's about validating certificate requests. As I chipped in to that one as well, I will keep this here 🙂 ]

     

    The use of port 80 instead of 443 has been discussed as part of the standardization of the ACME protocol - which is a protocol for automatic certificate management (https://tools.ietf.org/html/rfc8555). So a simple answer is - that's what relevant standard says.

     

    There is some reasoning behind it that takes into account how HTTPS / 443 is handled by some internet service providers. The bottom line is that it is possible for someone else to validate certificate requests for your domain.

     

    Dan

     

    ———

    I've worked around (not only) SSL security for over 20 years in enterprises and startups. 

    I am now running an HTTPS expiry management service KeyChest.net

    0 Kudos
    Reply

    You may also like...