O sistema operacional no meu servidor web é (com versão): Ubuntu Server 20
O serviço de hospedagem do meu site (se aplicável) é: local
Posso acessar um shell root na minha máquina (sim ou não, ou não sei): sim
Uso um painel de controle para administrar meu site (não, ou indique o nome e a versão do painel de controle): não
Olá, tenho um domínio ddns que aponta para um nginx na porta 9000, pois meu provedor de Internet nao permite que eu ouça a 80 e a 443. La eu uso nextcloud, home assistance e outras dockers. Não consigo fazer pelo desafio do dns pois não aceita. Qual o problema em eu ter um domínio publico certificado, mas, em uma porta diferente das padrões?
Hello, I have a ddns domain that points to an nginx on port 9000, because my Internet provider does not allow me to listen to 80 and 443. There I use nextcloud, home assistance and other dockers. I can't do it through the dns challenge because it doesn't accept it. What's the problem with me having a certified public domain, but on a port other than the default ones?
The CA/Browser Forum Baseline Requirements define many methods how a domain can be validated. However, Let's Encrypt only implements three of these many methods, which mandate the use of the authorized ports (80 [HTTP for the http-01 challenge], 443 [HTTPS for the tls-alpn-01 challenge], 25 [SMTP] and 22 [SSH]).
Other CAs may implement e.g. sending a specific email to the email address mentioned in the WHOIS info. But LE does not implement that. And it's, as far as I know, also not implemented in ACME, the protocol used by LE.
Outra possibilidade pode ser criar um CNAME apontando o registro _acme-challenge para outro domínio (ou subdomínio) em outro provedor DNS, se o provedor DDNS assim permitir.
Entendi que "É assim que funciona", mas é uma pena pois eu só queria que meus dockers não ficassem reclamando por falta de certificado e nem com um certificado autoassinado.
Não vejo falha de segurança em ter um dominio ddns com uma porta diferente de 80 e 443.
Agradeço pela atenção de todos vocês
I understood that "This is how it works", but it's a shame because I just wanted my dockers not to complain about the lack of a certificate or a self-signed certificate.
I don't see a security flaw in having a ddns domain with a port other than 80 and 443.
Thank you all for your attention
As I am reading their help page, the freemyip.comDDNS provider supports subdomains and TXT type records. So DNS-01 challenge should work to get a certificate for your domain.
Ports 0-1023 are known as "well-known" or "system" ports, and considered to be "privileged ports" as they require root/administrator access on all major computing systems.
As the global standard is for only administrators to utilize those ports, the CA/B Forum had adopted a stance that proving ownership of ports in that range is a secure enough method to prove control of the system itself, and consequently and domains pointing to that system. This can not be said of higher ports, which is the security flaw.
To standardize adoption and simplify things, the industry has decided to further specify which of the privileged ports can be used for a given challenge. It is possible for future challenges (or future versions of existing challenges) to use other privileged ports, but that will not happen without an RFC detailing that use and the explicit approval of the CA/B Forum.
lego supports FreeMyIP.com in their ACME client as DNS provider. For Certbot, one could use the certbot-dns-multi plugin which uses lego under the hood. Or just use lego as your ACME client.
