There has to be a better way of generating certs than having to do manual DNS-01 challenges every 90 days?
I cannot keep port 80 open for HTTP-01 challenges, that just feels dangerous to me.
My DNS host doesn’t support API.
How else can I do this with Certify the Web (Windows) without spending the a few hours doing it all manually? I have several web servers with several web addresses.
Any ideas welcome.
Dangerous how? I assume your port 80 runs the same webserver as your HTTPS on port 443, so I assume your not afraid for hackers directly hacking your webserver.
Also, how do people reach your HTTPS server on port 443? Do they rely on a redirect from port 80 or do people need to manually type https:// in their address bar?
Or do you use HSTS pre-loading? Do all browsers use HSTS pre-loading?
If keeping port 80 open would be actually dangerous, why would almost every site have it open?
Get a new DNS host or make a CNAME record that points to one who does and use challenge aliasing.
Some ACME clients support a challenge type called TLS-ALPN-01 that operates over port 443. One option above and beyond the others suggested in the thread so far would be to switch to a client that has support for this challenge type.
So you refuse to use the obvious solution, and your DNS provider precludes a good alternative. Leaving those two aside, we're left with TLS-ALPN which isn't very widely supported, switching DNS providers (Cloudflare is free and has a widely-supported API), or running your own validation DNS host using acme-dns. Or realize that serving static text files over port 80 isn't dangerous in the least.
Thanks everyone for your replies.
My concern with port 80 is that it needs to be open inbound, so our sites are then available on http (we also use a bit of software that has port 80 and port 443 open, but no redirect is available from port 80 to 443).
Am I over thinking this?
This does not follow. The only thing that has to be accessible on port 80 is the /.well-known/acme-challenge/ path, and that will still follow redirects to port 443. Let's Encrypt doesn't care what else is (or isn't) accessible on port 80.
Perhaps I am not explaining very well.
How would I make it so that traffic from port 80 can only access /.well-known/etc?
Well, that’s not a LetsEncrypt issue, it’s a webserver configuration issue. I don’t know nginx, but in Apache we’d just use deny all for the root path, and accept on the /.well-known/acme-challenge/ path.
I use IIS which I do not think supports it.
Certify The Web by default has an http challenge listener built in for temporarily answering port 80 http challenges, so you can remove the port 80 binding on your IIS site and leave port 80 open for http challenges only. You mention you have a bit of software that uses port 80 and port 443, if that’s not using https.sys (and claims the port exclusively) then there are bunch of other issues there.
Regarding manual dns challenges, they are absolutely the worst option because they are high maintenance and error prone. Use an automated provider - Certify supports acme-dns which you can use with any DNS host (just select the option and run a request to see who it works) and you can optionally use the default acme-dns server if you don’t want to run an acme-dns server. Alternatively switch your dns host to one that certify can automate such as cloudflare, aws route53 etc, some of which have free options.
Regarding alternative challenges like TLS-ALPN-01, currently there is no way to do that on Windows.
The best place to ask certify questions is on https://community.certifytheweb.com or contact support - this forum doesn’t automatically notify me if you mention certify in a question.
This post on dns-01 proxy authentication seems relevant. Just get a CNAME out to a record on a domain you can change either with nsupdate or some API.
You can also issue wildcard certificates and distribute them with some scripting.
As others said before, leaving port 80 open isn’t necessarily a security risk.
Best regards
-lem
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.