Ports 80 and 443 open - is it safe?

Hello,
I have installed a Certbot certificate on my Lighttpd Raspberry server. Everything is working perfectly.

However I have a doubt. To make it work, I have opened ports 80 and 443 of my firewall, mapping Internet ports 80 and 443 to the same ports of the web server.

My question is very simple.

Is it safe to keep them open? It is not clear to me.

When I was on http without certificate, for safety I had a random Internet port (for instance 53636) mapped to web server 80 port.

Please clarify, thanks, Dan.

If you have port 443 open, then it is equally as safe to keep port 80 open.
[port 443 doesn’t make systems “safer” - it makes conversations private]

Furthermore, port 80 only needs to do one single thing:

  • redirect all connections to HTTPS
    [which can be done by any system - even a completely separate one]
    [anything beyond that is “extra” and NOT required]
1 Like

Let’s Encrypt’s documentation on this:

If you have third-party users who might contact your server on port 80 (by just typing in the hostname without a protocol schema), it could be confusing to them if the server doesn’t answer the first time to redirect them to HTTPS.

If you are the only user or if all users always use a bookmark with a custom port to access the service, you could choose not to listen on port 80 or port 443, but you still have to listen on port 80 temporarily during the renewal process (which you could then do with something like certbot --standalone, where the port 80 listener process is ephemeral).

4 Likes

Clear, thanks.

What is not very clear is how I can renew the certificate without opening port 80. Can you please detail?

1 Like

Hi @dcaccount

please read

3 Likes

I read it but it is a bit too complicated to me.
As far as I understood, the renewal is handled automatically but in this case I should keep port 80 open.

I was thinking to keep it closed and to open it temporarily only for the renewal process.

Is there a way to manually renew the certificate?

Thanks for the help.

Dan

If you open ports by running a command on the same server where Certbot runs, you can use

certbot certonly --pre-hook "command to open port 80" --post-hook "command to close port 80"

when issuing the certificate, or once to add those commands to the renewal configuration.

If not, you can use

certbot renew

to renew manually, and you can disable the automated renewal attempts entirely by removing the cron or systemd task that runs certbot renew. (You can also disable automated renewal for a single certificate by adding autorenew = False to the top section of that certificate's renewal configuration in /etc/letsencrypt/renewal. In that case you might have to add --force-renewal to your Certbot commands when you renew it manually.)

1 Like

One method is, as discussed above, to programmatically open and close port 80 just for the renewal. Another, if you have (or can use) compatible DNS service, is to use DNS validation. For that, you don't need to have any ports open at all, but your ACME client needs to make automated updates to your DNS records.

3 Likes

Hello,
by curiosity I tried to instruct:

sudo certbot renew --force-renewal

and the certificate has been renewed even if port 80 is closed.

In the router I have only set a forwarding from port XXYYZZ to 443 so I do not understand. Was port 80 not supposed to remain open for the renewal process?

Please clarify.

Thanks,
Dan

If you renewed within the validity period of your existing authorization (30 days, IIRC), you'll be able to get a new cert without validating the domain again. It isn't a valid indicator of what will happen when your cert is closer to expiration.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.