This is returning to the Let's Encrypt problem I recently posted about.

I've recently been blocking swathes of server farms such as amazon and ms, which can sometimes send several hundred bot hits a day to my small server. Unfortunately LE uses (potentially) ad hoc IPs within some of these ranges and within several other clouds to update certs. They don't give a list of those IPs; I don't blame them on that score but it makes my anti-bot firewall blocking perilous to say the least.

LE are aware it's a problem and say, "Use DNS verification". Which I can't do without going away from an otherewise very good hosting service.

Since I have both mail server and web server on the same system I block bot ranges for the web sites using:

-A INPUT -s nnn.nnn.0.0/16 -p tcp -m multiport --dports 80,443 -j DROP

From what I have read it's possible to put various other conditions including text into iptables, although it seems these are not reliable due to block size. Is there any way I could add something to iptables to allow the part-URI ".well-known/acme-challenge" through the IP blocks?