I’ve been following Letsencrypt for sometime and finally have a chance to use it. However because of the size of the enterprise I work for our external IP ranges are full of services on different ports. This means I’m hitting the issue of 80 and 443 being available to be honest for domain validation.
So that everybody is getting the full picture of the issue I am not using a certbot client that is standalone. I am using a certificate generator built into an email platform to do the request that has been written for Letsencrypt. Obviously any attempt fails due to the port issue. I have used the ACMEClient ports to see what is available but it seems to have been overlooked in the current implementation even on certbot.
From reading the forums I am a little concerned how this particular issue has been brought up and/or dealt with. All standard ports up to 1024 are treated as trusted by the views of a few on this forum. To be honest whether the port is 80, 8080, 8001, 10001 should not matter at all. Any port can run a privileged application that can do some form of damage. In fact doesn’t most port scanners hit the first 1024 ports don’t they? This is why most admins move some systems away from the standard ports to higher numbers.
My real gripe at the moment is that there should be a way to specify the port for domain validation regardless of using the DNS method as an alternative. The basic method work well for the majority but surely advanced system admins should have an advanced method for doing a simple override like this.