I don't have HTTP, FTP or WebDAV - is authorization via HTTPS possible?


#1

Not having any Linux box at hand, I am using the IIS client. So forgive me if the following is an unsupported IIS client issue that is fixed in the Unix version.

But I have the following problem:

The server for which I need an auto-renewing certificate is only bound to https:||mysubdomain.mydomain.com:443 and smtp:||mysubdomain.mydomain.com:25.
Both http:||mysubdomain.mydomain.com:80 and ftp:||mysubdomain.mydomain.com:21 point to a different server.

As you may have guessed, the error that is thrown during the process is “The ACME server was probably unable to reach http:||mysubdomain.mydomain.com/.well-known/acme-challenge/abcdefgh...xyz”.

It is completely clear to me why, but I can’t fix it, because http:||mysubdomain.mydomain.com has to point to the other server. If the ACME server would try https:||mysubdomain.mydomain.com/.wll-known/acme-challenge/abcdefgh...xyz, but ignore any certificate issue, he would successfully find the challenge. In my understanding, this behaviour wouldn’t introduce any new security holes over the current behaviour.

Is there anything I can do to get automated renewal working?


#2

There is a challenge type which uses port 443 (tls-sni-01), but unfortunately none of the Windows clients currently support it as far as I know.

Unfortunately it’s not possible to tell the HTTP-based challenge type to use port 443. This would introduce a vulnerability which could lead to misissuance in certain multi-tenant hosting environments.

There are a couple of other options you could explore. Let’s Encrypt supports verification via DNS TXT records. This is supported by ACMESharp. However, this tends to be tricky to automate.

Another option would be to add a redirect on your port 80 server from http://sub.example.com/.well-known/acme-challenge/* to https://sub.example.com/.well-known/acme-challenge/*. The CA server will happily follow a redirect to HTTPS, so as long as you redirect all requests for .well-known/acme-challenge/* to HTTPS and host the challenge files there, this would work. You wouldn’t need to do anything actively on your port 80 server for each renewal, just a permanent “blanket” redirect.

If that’s not something you can do with the existing server on port 80, I’m afraid DNS-based validation is your only option at the moment.