Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version): Windows Server 2012 R2
My hosting provider, if applicable, is:NA
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No
I’m using a custom built server app developed in Clarion for Windows and NetTalk 10.19 templates. The custom app I developed has code included to use Let’s Encrypt automatically. All works as expected if I use ports 80 and 443. However, if I use ports 80 and 4434, I keep getting and Invalid Challenge message.
Thanks! I’m very new to all this. My understanding is that the initial “challenge” is over port 80, then all other activity, such as a renewal, takes place over port 443. At this point is port 80 still required? That is, is there still a validation happening over port 80?
Validation always happens over port 80, whether it is first issuance or renewal.
Any activity that happens over any port will only be the result of an HTTP redirect by your own server.
The most straightforward thing to do is just to allow /.well-known/acme-challenge to be excluded from any redirects and to have it served fully over port 80.
It's possible to renew a certificate with a TLS-SNI-01 validation on port 443, but I'm not sure relying on this can be recommended since the ability to do so was previously described as "temporary":
Thanks everyone for helping out with my questions. In my case I have a custom app, with LE code included, that I want to run on a particular server. This server has other services that use 443, but 80 is free. Thus, I thought I could use 4434. It seems from the answers so far, that this will not work. My app must only use 80 and 443. Have I understood things correctly?
Your app needs to use port 80 for initial certificate validation and should normally also use it for certificate renewal. You can't use port 4434 for certificate renewal, except as an HTTP 301 redirection target from port 80.
For serving the application itself, you can use port 80 for HTTP (if you want) and port 4434 or any other port for HTTPS (if you want).
Now, the validation challenge you can use is http (you can use dns too but we are not talking about it here). I mean, you can't use tls challenge, not even for renewals if you didn't issue a certificate using this tls challenge. So, using http challenge, LE must reach your web server on port 80 and you can't redirect all requests to port 80 to another port like 4434, well of course, you can but if you try to renew your cert it won't work because LE won't follow redirections to ports other than 80 or 443.
Said that, you could configure your web server to serve requests for http://yourdomain/.well-known/acme-challenge/${challenge} on port 80 and redirect all other request to port 4434 so LE will be able to validate your domain.
Note: This is far afield of the original question. @jking, the short answer is that your app must use only 80 and 443. There are some obscure caveats and exceptions, but at a basic level that's the best path forward for you.
--- obscure caveats and exceptions follow ---
The TLS SNI renewal exemption logic doesn't care whether your previous issuance was via HTTP or TLS. This was mainly done for implementation simplicity.
I have a follow up question. Our network uses Check Point firewalls. I’m told that our firewall is configured to allow outbound requests over port 80 (and I guess port 443 as well) from my specific server and thus my app. If my app initiates a request on port 80 outbound, an entry is stored in tables of the firewall, to allow a response back to that specific request. However, the firewall will not accept inbound requests on port 80 that have been initiated elsewhere.
When the LE code in my app generates the challenge token and stores it in the .well-known/acme-challenge folder, I assume some sort of request is sent out over port 80. This is a port 80 request initiated by my app. Does LE then respond to this specific request to verify the challenge written to my server/domain/IP address? Or does LE initiate it’s own request back to my server to find the challenge? If LE is initiating the inbound port 80 request, I think our firewall will block it. Thoughts?
That will be a problem, I’m afraid. An ACME client talks to the Let’s Encrypt API using HTTPS. The validation requests come from totally different IPs. Your firewall will block it.
You need to unblock port 80, or use DNS validation.
My firewall guy says he can allow inbound port 80 requests for specific IP addresses, but will not open it to all. Is there a list of LE IP addresses I can give him?
