I'm pretty sure Jonathan wasn't trying to be snarky, it's possibly a valid solution. Let's Encrypt might not be the best solution for your specific set of demands or wishes.
What would there be unsafe to open port 80 to the path /.well-known/acme-challenge/? 99.9999 % of the time there would be nothing in that path, so for whatever request a script kiddy might throw at it, your webserver just returns "404 file not found". And the other 0.0001 % of the time, there is an ASCII file with a random sequence as file name present which only your ACME client and the ACME server knows. Good luck script kiddy!
I really don't see the issue with that solution offered by Jonathan. I've suggested it myself many times.
Sorry James I did not see your post before I posted my reply to jvanasco. I was hoping for a better answer.
A friend assisted me with this solution back in January when our 2 year certificate was expired due to the new restrictions on certificate date length. I though this would also automate the renewal cycle, which it does. Unfortunately, I cannot allow the risk of the entire Internet having allowed access over the HTTP port to an email server.
Again, could you perhaps explain what risk that entails? Are you afraid of exploits in the webserver itself? I would be more afraid of exploits in my mailserver which would be online 24/7
Note that you don't necessarily have to run the webserver 24/7. E.g., Certbot has a build-in webserver it can use (Python based) only temporarily for just the http-01 challenge.
Also, you only have to renew a certificate every 60 days (recommended) and if you're comfortable with living more on the edge, you could increase the time between renewals closer to the 90 days (the validity of the cert). So that build-in webserver would only be active for a few seconds once every 60-90 days. Could you please explain what that would be for risk? I'm curious
Again, the information you requested is not public or does not exist.
The LetsEncrypt product is not a solution for everyone. There are technical and procedural requirements. As you are clearly uncomfortable with them, your best solution is likely using another Certificate Authority.
That being said, using pre/post hooks to alter firewall rules is a commonly used technique with negligible security implications.
I only have an email server where I have to manage the certificate. There should be no accessible HTTP access from the Internet. How this worked in the past has me complexed and I will be back tracking to figure that out later.
Our web servers are handled by an MSP.
To Bruce and Osiris:
The risk is this:
Friend setup Certify the Web and the service is always working and listening. From what I remember of an earlier part of the conversation, this service program is always listening for and then redirecting:
http://(domain)/.well-known/acme-challenge/ with its ChallengeTokenValue
through the Certify the Web service.
If I allow the entire web to access the email server over port 80, all the script kiddies and others have all day long to bang this system on port 80 with whatever crap they want to send. Why would I want an email server banged with this crap potentially taking it down or even p0wning it due to a vulnerability found?
That is why the more secure method would be limit it even further with the FW rule:
SRC - LetsEncrypt FQDN (our FW can be configured to check this FQDN)
DST - Our Email Server
Port - HTTP
After that is working, I can also use a further URL rule that will look for the actual URL:
Aaah, you're running Windows.. I should have known reading the thread title. Well, in that case I can understand why you're so afraid for exploitable stuff
That said, Certify the Web is not the only ACME client available for Windows. Maybe there is another one more suitable for your specific situation. See ACME Client Implementations - Let's Encrypt for a probably not complete list of ACME clients.
@webprofusion can say for sure. But while the CTW service may be running all the time, I doubt it is running a web server all the time because it doesn't need to. Almost all ACME clients that have a built-in web server for answering challenge requests only spin it up for the brief period of time they're actually expecting to get requests during a challenge validation. So even if port 80 traffic is being allowed through the firewall to your mail server, it will just get dropped by Windows since nothing would be listening on that port 99.9% of the time.
And as others have said, there are definitely other Windows ACME clients that don't have always running services if that bothers you. They typically just have Scheduled Task jobs running daily'ish to check whether it's time to renew anything.
As @rmbolger says, no the http listener isn't always on. It spins up when a certificate request needs http validation then shuts down shortly afterwards when there are no more validations to perform. It uses the standard windows http.sys http pipeline. The actual background service that's always running is the core management service, it's serving the internal API the UI uses (so you can close the app UI while renewing 100 certs and stuff just keeps working) and it's doing stuff like cert store maintenance, renewal management with exponential back-off for failures and pushing status reports to the dashboard or sending failure notifications (if you're using those features). It'll also do things like alert you if your server is about to run out of disk space etc (because that impacts cert renewal).
Other ACME clients are definitely available and if you have any doubts/dislikes you should definitely use those instead, I won't be offended. CTW is really aimed towards users who need to manage quite a few certs (we have one org I know of managing 18,000 certs on one server). We also have priority support helpdesk ticketing and our own community forum for questions https://community.certifytheweb.com/ - people will try to be helpful here, but they don't necessarily have all the answers regarding this app.
For low-volume cert management perhaps win-acme would work for you (it's a scheduled task).
[Edit: I should add, if you're handy with PowerShell etc you don't need to run your renewals on the same server that needs the cert, you can renew certs on a single server then deploy them to where you need them. Regarding DNS validation, there's always a way if you're determined enough - at the very least you could run your own acme-dns server for DNS challenge validation]
