Certbot auto renewal needs port 80 to be enabled?

I have got my certs with certbot, its very easy & Thanks for making it simple! However i have a question,
I see certbot has setup a cronjob for auto renewal and I do not have to do anything when certs are due for renewal. The question is do I need to enable port 80 to the host for Acme challenge while certbot try to auto renew the certs?. Because after certbot gets the certs I have blocked port 80 to my webserver as It is now only accessible thru https over 443.
Please let me know,



Yes, and you should/can leave port 80 open.
There is no known increased risk in adding port 80 access to a system with port 443 already open.
You could reduce your systems' exposure via port 80 by answering all such connections within one single HTTP vhost config. In there you could redirect all connections to HTTPS and only exclude redirection for /.well-known/acme-challenge/ requests.
You could even go one step further (if you are very security conscious) and ensure those challenge requests are not served from your active document root path.
And if you are extremely paranoid about such security, you could run two independent servers (one for port 80 and one for port 443) - in the same server, or in separate servers, (they could even be two different web servers - like: Apache & NGINX) and have one proxy to the other or to a shared location common/accessible to both.


Some other documentation on this:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.