Clarification Regarding TCP Ports

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: syna.ward-kirkwood.com & ward-kirkwood.synology.me

I ran this command: N/A - letsencrypt is attempting to renew SSL Certificate

It produced this output: email from Let’s Encrypt Expiry Bot

My web server is (include version): N/A - Synology Audio Station

The operating system my web server runs on is (include version): N/A - Synology DS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A

I configured my Internet Router to Port Forward TCP Ports 80 & 443 to my Synology NAS to install a SSL Certificate from Let’s Encrypt. My Home Automation Hub requires that TCP Port 80 is forwarded to it. As far as I am aware, it is not possible to Port Forward TCP Port 80 to multiple IP addresses.
I have read a number of people referring to issues with TCP Port 80.

My questions are:

  1. Does Let’s Encrypt require both TCP Port 80 and Port 443 to renew its SSL Certificate?
  2. If so, why both TCP Ports - why not just one (selectable by the user)?
  3. Why doesn’t Let’s Encrypt either use TCP Ports above 1024 rather than use the standard HTTP and HTTPS TCP Ports?
  4. Why doesn’t Let’s Encrypt permit its users to select the TCP Ports used for SSL Certificate renewal?

If I can have positive responses to these questions, it would be worth me to move from using your Free SSL Certificates to paying for them.

Many thanks and best regards
Joe.

My answers are:

  1. Let’s Encrypt doesn’t require any TCP ports to be open, if you use a DNS-based verification method. However, if you choose to use a verification method that uses HTTP or HTTPS, then the relevant port needs to be available for Let’s Encrypt to complete the domain control verification.
  2. Let’s Encrypt doesn’t need both ports open. Where did you get the impression that it did?
  3. Because domain control validation can be trivially worked around if users can stand up a listening service on an arbitrary port and have the CA use that to validate control.
  4. Because domain control validation can be trivially worked around if users can stand up a listening service on an arbitrary port and have the CA use that to validate control.

one is enough, depending on which challenges your client supports.

Because ports over 1024 are available to be used by non-privileged user and do not imply control over a domain/machine

you didn’t ask for this, but your home automation hub on port 80 can probably reverse proxy request for /.well-known/acme-challenge/ to the diskstation, allowing you to validate the cert and have the automation hub on port 80.

But I wuold never use a home automation hub on unencrypted http. You should think of putting a ssl cert there, too. If you use different domains you can proxy validations for one and keep the other local, so each can renew by themselves.

Hi @JRJSmith

please start with some basics.

and

So it’s challenge-specific what you need.