Is it ok to do http challenge and then close ports?

What I mean is, I do my http challenge and everything works, I get my certs, etc.
After that, I closed port 80 and 443 on my router so I don’t expose my server to the internet, and use local dns for the resolution of my domain (pointing example.com to my server’s private ip). The certificate is still valid and everything still seems to work that way, until the cert expires I guess. I understand it’s a hacky solution and I should be using dns challenge instead, but I can’t until I get myself a proper domain (I’m currently using a freenom domain at the moment for the sake of testing things out).

There shouldn’t really be any problem for https apart from the hassle of handling the renewal manually by opening port 80 each time, right?

Sure, that would work fine.

(With the interpretation that you are closing both port 80 and 443 because you only want visitors from your LAN to access the site.)

It’s not what Let’s Encrypt recommends

but there’s no technical or policy obstacle to doing this.

You might even be able to script the opening and closing of the port(s) so it can automatically renew.

certbot renew --pre-hook "ufw allow 80" --post-hook "ufw delete allow 80"

(assuming the firewall is managed by ufw and deny is the default rule.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.