Hello,
I have installed a Certbot certificate on my Lighttpd Raspberry server. Everything is working perfectly.
However I have a doubt. To make it work, I have opened ports 80 and 443 of my firewall, mapping Internet ports 80 and 443 to the same ports of the web server.
My question is very simple.
Is it safe to keep them open? It is not clear to me.
When I was on http without certificate, for safety I had a random Internet port (for instance 53636) mapped to web server 80 port.
If you have port 443 open, then it is equally as safe to keep port 80 open.
[port 443 doesn’t make systems “safer” - it makes conversations private]
Furthermore, port 80 only needs to do one single thing:
redirect all connections to HTTPS
[which can be done by any system - even a completely separate one]
[anything beyond that is “extra” and NOT required]
If you have third-party users who might contact your server on port 80 (by just typing in the hostname without a protocol schema), it could be confusing to them if the server doesn’t answer the first time to redirect them to HTTPS.
If you are the only user or if all users always use a bookmark with a custom port to access the service, you could choose not to listen on port 80 or port 443, but you still have to listen on port 80 temporarily during the renewal process (which you could then do with something like certbot --standalone, where the port 80 listener process is ephemeral).
I read it but it is a bit too complicated to me.
As far as I understood, the renewal is handled automatically but in this case I should keep port 80 open.
I was thinking to keep it closed and to open it temporarily only for the renewal process.
If you open ports by running a command on the same server where Certbot runs, you can use
certbot certonly --pre-hook "command to open port 80" --post-hook "command to close port 80"
when issuing the certificate, or once to add those commands to the renewal configuration.
If not, you can use
certbot renew
to renew manually, and you can disable the automated renewal attempts entirely by removing the cron or systemd task that runs certbot renew. (You can also disable automated renewal for a single certificate by adding autorenew = False to the top section of that certificate's renewal configuration in /etc/letsencrypt/renewal. In that case you might have to add --force-renewal to your Certbot commands when you renew it manually.)
One method is, as discussed above, to programmatically open and close port 80 just for the renewal. Another, if you have (or can use) compatible DNS service, is to use DNS validation. For that, you don't need to have any ports open at all, but your ACME client needs to make automated updates to your DNS records.
and the certificate has been renewed even if port 80 is closed.
In the router I have only set a forwarding from port XXYYZZ to 443 so I do not understand. Was port 80 not supposed to remain open for the renewal process?
If you renewed within the validity period of your existing authorization (30 days, IIRC), you'll be able to get a new cert without validating the domain again. It isn't a valid indicator of what will happen when your cert is closer to expiration.