Is port 80 required for renewals?

Sorry for the duplicate. I can’t find a way to delete or edit the old one.

I’m really hoping that you can let me know if port 80 is required to be open for inbound, outbound or in and outbound traffic to renew a certificate.

I registered a certificate with the following command:

certbot certonly --standalone --agree-tos --email me@mydomain -d mycomain

I opened port 80 to inbound traffic to register the cert which worked without a problem. But I need to know if prot 80 is required for renewals.

I have searched through the documentation, read https://letsencrypt.org/docs/allow-port-80/ and https://letsencrypt.org/docs/allow-port-80/ but neither of these pages mention that port 80 is a requirement.

I am not using the cert for a webserver so there is no traffic on ports 80 during normal operation of the server.

All the testing I have done indicates that when I run:
certbot renew --dry-run
certbot renew --force-renewal

The renewal is taking place on outbound port 443. I opened a second terminal and ran:

tcpdump port 80 or port 443

And the only traffic that certbot generated was the following on port 443:

14:50:36.278229 IP myserver.33118 > 172.65.46.172.https: Flags [P.], seq 518:644, ack 3080, win 501, length 126
14:50:36.279444 IP 172.65.46.172.https > myserver.33118: Flags [.], ack 644, win 66, length 0

Furthermore, the only way I could get the renewal to fail was to block port outbound traffic on port 443. The renewal happened successfully when outbound port 80 was blocked.

Any help you with this would be greatly appreciated.

Thanks!

Hi @Groodle

read

and

Result:

If you want to create a certificate, your ACME client must be able to talk with Letsencrypt servers.

There https is used -> local initiated outbound port 443 is required (and answers, but that’s firewall specific).

The port 80 requirement is challenge type specific.

If you want to use http validation, inbound port 80 and a working webserver is required. If that webserver redirects to https, then inbound https is required.

If you use dns validation, no incoming port 80 / 443 is required.

Hi Juergen,

Thanks for the reply. I allowed inbound port 80 to register the certificate which worked fine. My question is whether port 80 is required for the renewal of an existing certificate.

When you say:

“There https is used -> local initiated outbound port 443 is required (and answers, but that’s firewall specific).”

Do you mean that port 80 is not required for renewals? And I only need to allow port 443?

The tcpdump output indicates that this is the case but it would be great to get some confirmation.

Thanks!

There is no real difference between the first certificate and the renew of an existing certificate.

Same rules.

That depends. Assuming you're using the http-01 challenge and not the dns-01 challenge (the latter uses DNS rather than HTTP through port 80), an open port 80 is necessary for the validation of a hostname, called an "authorization". An authorization is valid for 30 days (currently). So once you've validated a hostname and have a valid authorization for that hostname, you can get certificates without an open port 80 for 30 days.

However! Let's Encrypt certificates are valid for 90 days and Let's Encrypt recommends you to renew your certificate after 60 days. By that time, your previous valid authorization would be invalid. So when renewing your certificate after 60 days, you'll need to open port 80 again, so you can validate your hostname again.

Thanks Osiris! This was the information I needed and explains why I couldn’t find any traffic on port 80 for renewals less than 80 days after the cert registration.

If you don’t want to open port 80, you can do tls-alpn-01 validation which works on port 443: https://github.com/ndilieto/uacme#tls-alpn-01-challenge-support

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.