We are in danger of deviating very far off this post’s intended topic. I recommend we split here if there’s any discussion to continue.
Thanks for the split.
I honestly dunno re: the value of continuing the discussion. From the outside, and as new around here and LE, the way things are done doesn’t make a lot of sense to me all the time, and given all the discussion about lots of things that seem to have little effect on direction, I can’t say …
The rationale for port restrictions is that the ports end up associated with particular roles at a company.
We used to have this before with the email addresses
I’m sticking with my view that designing a product/process to accommodate poor poiicy/poltical decisions is simply bad design. It may be the reality in the middle of the end-user bell-curve; just doesn’t change my view.
I sure agree with necessary management of port controls, or mail address, etc. I also maintain it’s the responsiblity of the port-and-server owner to make sure their house is in order. Tired of catering to the sloppy. (For example, companies that STILL can’t configure their mailservers correctly. Frankly, screw em. They can call me.)
Validation is validation. If ‘valid because of access over port 80, or port 443’, then simply picking ONE other port that the entire flippin web doesn’t already have stuff running on is not that big of a deal.
I just don’t buy the idea that one additional far-less-used port is going to screw up vaildation security or efficacy.
OTOH, making it less of a PITA to deploy LE without having to jump through 27 hoops at a time, will have a dramatic effect. It will improve both.
And, as I mused above (the PROTECTEDWORD shtick …), making it easier to get a cert for a machine that’s behind a firewall and will NEVER have a webserver exposed on any port is a good thing.