Is it ok to do http challenge and then close ports?

glazing32 · July 21, 2020, 9:39pm

What I mean is, I do my http challenge and everything works, I get my certs, etc.
After that, I closed port 80 and 443 on my router so I don’t expose my server to the internet, and use local dns for the resolution of my domain (pointing example.com to my server’s private ip). The certificate is still valid and everything still seems to work that way, until the cert expires I guess. I understand it’s a hacky solution and I should be using dns challenge instead, but I can’t until I get myself a proper domain (I’m currently using a freenom domain at the moment for the sake of testing things out).

There shouldn’t really be any problem for https apart from the hassle of handling the renewal manually by opening port 80 each time, right?

_az · July 21, 2020, 10:44pm

Sure, that would work fine.

(With the interpretation that you are closing both port 80 and 443 because you only want visitors from your LAN to access the site.)

schoen · July 21, 2020, 10:42pm

It’s not what Let’s Encrypt recommends

but there’s no technical or policy obstacle to doing this.

Osiris · July 22, 2020, 6:26pm

You might even be able to script the opening and closing of the port(s) so it can automatically renew.

9peppe · July 23, 2020, 10:46am

certbot renew --pre-hook "ufw allow 80" --post-hook "ufw delete allow 80"

(assuming the firewall is managed by ufw and deny is the default rule.)

system · August 22, 2020, 10:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.