it could change the port 80 and 443 for others that I have enabled it
and I have those occupied by other services.
thanks for helping
1 Like
Since each user on an Host can open high ports, it is possible to open an port >1024 and then get certificates for any domain under this ip. I think the port should not changed.
Well, a port <1024 would serve the cause as well. If you have many servers running different external IPs and a loadbalancer, you have to either install letsencrypt on all servers (not so spiced up about this) or do the manual process with every potential real server, then distribute the resulting certificates (better, but still a bit cumbersome - and tricky, if your firewall restricts access to IP ranges).
My ideal solution would look like this:
a.) know the challenge IP (range) of letsencrypt (66.133.109.36 currently)
b.) define a port <1024 in the challenge
c.) setup rules in the firewall to allow letsencrypt IPs to connect to the loadbalancer on this specific port
d.) set up one cert server which gets all requests to that “cert” port forwarded to its http port
e.) define all hosts for which you want the certificates in your webserver on that server and
f.) run letsencrypt webroot on that server for all domains.
Of course you need to distribute the certificates to the real servers, but that is a minor issue for me.
Does that sound plausible & secure enough for certification?
OTOH, one-time DNS based verification is also cool - looking forward to that!
1 Like