Problem Statement:
We’re new to LetsEncrypt & we understand LetEncrypt doesn’t publish IP for whitelisting.
But from a security perspective, we don’t want to enable port 80 & 443 at all time.
can we open these ports only while requesting for a new certificate or for a renewal?
2 ) Is it required to open port 80 & 443 all the time where we’re running certbot utility ?
Yes, only port 80 is required for the http-01 challenge, unless you're redirecting the challenge to HTTP on port 443 too.
Not necessarily. Succesful validations are valid for 30 days currently. So if you managed to validate all the hostnames, Let's Encrypt wouldn't need to contact your server again in those 30 days.
That said, certificates are valid for 90 days. So there isn't really a reason to run certbot again if all hostnames are validated and you already have a valid certificate for those hostnames.
Thanks @Osiris for the prompt reply , really helpful …
1)So post 30 days do I get any notification for the upcoming “validations” which LetEncrypt need to perform . The intent is to understand how to again open port 80,443 on my “certbot” machine to complete LetEncrypt validation ?
What will happen if the Validation fails after 30days in case we miss to re-open the port 80,443 on certbot machine
Please share if you;re aware of this information of 30 days validation is captured somewhere in the documentation of letsencrypt.
No, a succesful validation is only required if you want to get a new certificate issued. Let's Encrypt certificates are valid for 90 days and Let's Encrypt recommends to renew a certificate after 60 days. Therefore, there's no need to validate your hostname(s) again immediately if the authorization isn't valid any longer after 30 days. There's a "gap" of 30 more days before you'd have to renew the certificate.
Nothing. The certificate is valid for 90 days.
As far as I know, it's not. And could change. But doesn't matter. You'd need to revalidate your hostnames again anyway as the validations are way shorter valid than the certificate itself.
In conclusion: you'd need to open your ports when you're renewing your certificate.
@Osiris I’m facing an issue please suggest if you can guide on this …I have created a wildcard certificate for domain “rsmgateway.com” & when I m accessing the application “app.prod.rsmgateway.com”, browser is giving a certificate error though the certificate is valid as generated by LetsEncrypt . I was expecting that wildcard certificate will work will all subdomains.
And I have used below command for generating , please help in understand what the issue here
certbot certonly --manual --preferred-challenges=dns -d *.rsmgateway.com
Wildcards are only valid for one DNS level, being the left most level too. I.e., if you’d like to have app.prod.rsmgateway.com covered by a wildcard certificate, you’d need to have the hostname *.prod.rsmgateway.com.
The hostname *.rsmgateway.com would only work for foo.rsmgateway.com and bar.rsmgateway.com and so forth.
Also, you can only have one wildcard symbol in a hostname. So *.*.rsmgateway.com would not be valid.
@Osiris Thank you so much for answering my trivial queries , your suggestions worked.
One last thing , what I understand renewal & New certificates process is kind of same , end of the day, LetsEncrypt will give the fullchain.pem & privatekey which we need to update . So when my certificate expires I can re-create the SSL certificate rather than renewing it , is there any difference between these approaches or what I want to ask specifically is what is the advantage of renewing the certificate rather re-creating it .
Please help in understand this fundamental better …
Once again many thanks for your help & guidance.
Correct, "renewal" is just a short phrase for "get a new certificate with the exact same list of hostnames". Let's Encrypt enforces different rate limits for different certificates and renewals. That's one of the reasons we'd like to enforce the difference between renewals and "just a new certificate" (with a different set of hostnames).
That would be possible, yes.
With most clients, renewal is easier in the sense of client invokation: for example, you could just run certbot renew to renew all the certificates applicable for renewal with the certbot ACME client. Makes maintaining your certificates a lot easier, because you could just run certbot renew many times with cron and let the client determine if renewal is actually necessary. Invoking your client every time with "get a new certificate" command is rather hard to get into cron.