Let’s Encrypt is the leader of TLS internet security automation, here is where it fails.
Let’s encrypt allows us to authenticate using one of two methods:
You can bring up a temporary http server on port 80
Alternatively you can give it the file path to the web root of the domain, which also requires port 80
I am currently faced with a complicated problem, let me give you some background on my basic secure set-up. I am using FreeBSD release 11(don’t use stable) with BSD jails for security. In one jail I have a FAMP stack, with Nginx handling TLS certificates and providing a local proxy to an obscure apache http port.
Every time I need to renew certificates I need to bring Nginx down run the temporary authentication server and start Nginx up again. This usually takes less than 5 minutes.
having to do this once every 3 months I thought it was acceptable to bring the website down once every three months some time on Sunday night or Monday morning.
That being said, as I continue to progress in having a solid server, I thought it was time to authenticate using the second method. The second method creates a hidden directory in the domains web root provided by the user. Unfortunately for me I modified the .htaccess file on all my web roots to disable access to hidden files and folders. I could go back to to the .htaccess file and either make an exception or remove the restriction, but why should I? I installed Let’s Encrypt in the hopes of securing the server not making it vulnerable. Maybe I am just ranting because there is a better way and every webmaster is aware of it, a none hidden file in the web root with a hashed name.
Might as well get all the bugs fixed at once right, well there is another problem. On that same box I have a mail server(I know…) on a different jail. I would like the jails to be autonomous for security purposes, that being said this jail has no access to port 80, and it never will. It would be nice if I could use yet a third method of authentication that does not require port 80. It’s not just this complicated jail set-up that requires this third method of authentication it allows users to renew certificates with out bringing the server down if they are using a http server that does not have a writable web root(is that even a thing?) like the Scala Play Framework. I doubt websites like Ford.com, Jeep.com or Amazon.com have a hot modifiable web root. Let’s Encrypt should be made for everyone!