Cannot forward port 80 - any workaround?


#1

Hi!

I am using Nethserver 6.7 as my server OS and I think LetsEncrypt is a great project which I would like to use.

My problem is that in our current infrastructure we can’t use port forwarding on port 80 in the router, since another server uses it. From what I understand it is a requirment that port 80 gets forwarded to the desired server where LetsEncrypt is installed. Is there any workaround to this problem?

Thanks!


Standalone http-01 challenge worked on port 8080 in past, but now it does not work
#2

Hi,

can you make use of the webroot plugin in your infrastructure?


#3

If you can not use port 80 (even for example with a proxy on the server using port 80 redirecting to the server you want certificate for), you should look for alternate challenge methodes like the dns or manual challenge. I know that the letsencrypt.sh alternate client support the dns challenge.


#4

The manual plugin uses the http-01 challenge. If you can’t use port 80, you can’t use http-01.

Only possible solution when port 80 is really out of the question (and for some reason you can’t use the dns-01 challenge), is using port 443. And that’ll require the tls-sni-01 challenge, which, with the official client, is only supported by using the apache plugin ór the standalone plugin.


#5

Oops, yes you totally right, I do not known what I was thinking…
So only dns challenge will work if none of port 80 or 443 is available.

I think however that boulder follow redirect then fetching the challenge file a .well-know/acme-challenge/…, so If you have control over the server on port 80, you maybe can setup a redirect to an other port ?


#6

How can I set LetsEncrypt such that the challenge works with DNS (I assume Port 53) ?


#7

The official client doesn’t support DNS challenges yet.

You can look into letsencrypt.sh which does support dns-01. The README contains instructions. The way it works is that you create a TXT record for the domain you want to verify. This doesn’t require any open ports on the web server.


#8

OK, so I guess I have to wait until this is implemented. I wonder though why not use a port like 81 or something which is often unused to do the challenge. Then it could also work in infrastructures like mine where you can’t use port 80 on the router.

Is this port actually just used for the challenge when installing Lets Encrypt? Because in that case I could temporarily port forward port 80 on my server to do the challenge and then set it back.


#9

The challenge exists so that you can prove ownership of a domain. It’s hard to define what “ownership” means in the context of domains, but being able to serve a file on the standard HTTP or HTTPS port demonstrates a certain amount of control over the domain. Being able to serve something on a different port would have different implications - not necessarily enough to demonstrate ownership proof, it could just mean that you were able to get someone to forward a port to you.

Yes, the challenge is a one-time thing - once you have a certificate, you’re good for 90 days. If you’re fine with forwarding the port to a different IP every 60-90 days, that would work.