Open Port 80, Renew, Close Port 80?

I was looking for a way to enable https for a limited number of users who are normally on a whitelist. To use Let’s Encrypt, I have learned so far that port 80 needs to be open for any IPs. I already found many posts where people have been told that they cannot limit that number of IPs, so I am not going to ask that again.

In those posts, hover, my question was not answered, or at least I did not find it: is it possible to limit the time the port is open?

My idea would be: close all unnecessary services, open port 80, get certificate, close port 80 (except for the systems on the whitelist), restart all stuff. ~80 days later, repeat for renewal - and so on. Is this possible? If it is possible, are there important things I have to consider while doing it?

2 Likes

Right. However, Let’s Encrypt only needs to be able to access the /.well-known/acme-challenge/ path. You can configure your web server to block access to everything else.

Plus, if port 80 is just used for ACME validation and redirecting to HTTPS, nothing on it is sensitive anyway.

Yes. Let’s Encrypt only has to access your server in the moments when you(r ACME client) tells it to.

ACME clients that support executing arbitrary hooks could even be configured to do it automatically, assuming your firewall is scriptable.

Not really.


See also:

2 Likes

Thanks a lot, this clarification will help me to keep security issues at a minimum.

For clarity, port 80 is only required for HTTP-01 validation. The DNS-01 and TLS-ALPN-01 validation methods work differently.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.