Do the renewal servers have static IP?

Hi LetsEncrypt community
We just had a close call with a certificate we use for our openldap server. There the certificate had expired, and we couldn't initially renew it, since we only had opened LDAP ports 389 and 636 from outside. (80, 443 and 22 were always available from our office LAN)

I suspect this is also why the automatic renewal failed, though I cannot confirm this anymore in hindsight.

My question is, is the renewal of the certificate done with a server that has a static IP(range) that we could allow for incoming traffic on port 80?

We do not want to have port 80 open to public traffic, if it's avoidable. For right now, I just had my network engineers open the port, I successfully renewed the certificate and told them they can close it again.

Kind Regards

Renato Wirth
peoplefone AG

No. Please see the Let's Encrypt FAQ about this: FAQ - Let's Encrypt

An alternative to using the http-01 challenge could be the dns-01 challenge, but that requires some amount of influence over the DNS. Note that the Let's Encrypt validation server follows CNAME RRs, so you could permanently set up a CNAME for _acme-challenge.example.com to e.g. acme-validation-dns-server.example.com which would be a dedicated, publicly accessible DNS server under your controle. This could be an acme-dns instance you'd be running on that host. Certbot can interface with acme-dns. It could also interface with a BIND instance for example. Or you could maybe use Cloudflare, certbot can also interface with Cloudflare... A lot of options here :slight_smile:

5 Likes

If this is a publicly-facing server (that is, you already keep 443 open to the Internet), then there's really no more harm in keeping port 80 open all the time as well, and that's the recommended configuration.

If this is an "internal" server, where the general Internet shouldn't have access to it, then I'd second Osiris's recommendation and use DNS-01 authentication instead. Some DNS providers make this really easy, and others don't so you need to use something like acme-dns.

The other option, which I've heard some people do, is automate/script the opening and closing of the hole in the firewall. That is, configure their ACME client to run some command to connect to the firewall and make port 80 open to all upon doing a renewal, and run another command afterward to close the port again. A lot of ACME clients have "hooks" that allow for running these sorts of custom scripts. But again, this may be really complicated depending on your infrastructure.

The fundamental issue is that in order to prove that you actually own the domain name you're trying to get a certificate for, Let's Encrypt needs to confirm that you own it as seen from everywhere on the Internet. The Internet can show different people different things for a variety of reasons, but to really "own" a name you need to be able to prove you can respond to the challenge the same way from everywhere. (And Let's Encrypt does check from multiple places.) This means that somewhere, you need a port open to the world. Depending on the challenge type, this might be 53 for DNS-01, 80 for HTTP-01, or 443 for TLS-ALPN-01, but something needs to be open to the world. For some reason, IT departments tend to have the most trust in their DNS server software and are okay with opening 53 to the world even when they're not willing to open anything else, which is why DNS-based challenges are the way a lot of people with restrictive firewalls tend to go.

6 Likes

Hi Osiris and Peter

Thank you for your reply.

This is a public facing server, in the sense that it has a static public IP, though we do not have port 443 open. Instead, ports 389 and 636 are open to the public.
As a general rule, we don't want to keep open ports that are not required, and since this is an LDAP server, it does not need to have any HTTP ports open for that purpose.

This is good enough for me, I can forward this to our network team as the reason why we should have port 80 open.

Kind Regards

Renato

2 Likes

You can also tell your network team that even if the port is open all the time, nothing would be listening on it the vast majority of the time. The mini web server that answers that challenge(s) is only spun up for a minute or so during the cert renewal which should be happening once every 60'ish days.

4 Likes