I'm running an NTS/NTP server beside a web server on a separate machine; upon initial installation, I re-routed ports 80 and 443 to the NTS server, but this is cumbersome for renewal as they are hardwired to the machine running the web server.
How could I automatically renew my certificates through other ports or means? – Alternatively, I could use ports 80 and/or 443 but only via IPv6…
Thanks for your help!
Michael
1 Like
Welcome to the community! You are lucky since the default is IPv6 for the HTTP-01 challenge. It is enough if you run the web server on IPv6 only for issuing the certificate.
3 Likes
You can. That breaks validation on your webserver, though.
You can also:
- use the same certificate you use on the webserver, maybe use a script to push it on the second server.
- configure the webserver to proxy requests for
.well-known/acme-challenge(but that becomes a problem because they both need it, unless they use different hostnames and you can use SNI/VirtualHosts) - configure the acme client on the NTS server to use a webroot on the webserver (shared via your internal network and mounted locally -- or not, depending on the client)
- use the
dns-01challenge.
2 Likes
Thank you, and that's very helpful! – I've opened the ports 80 and 443 (just in case) for IPv6 and --dry-run works flawlessly, excellent!
Now I would like to further restrict the IPs allowed to connect to those ports; which should I choose?
1 Like
Let's Encrypt purposely does not publish the IP addresses their validations originate from. See: FAQ - Let's Encrypt
2 Likes
Thanks; guess I found a suitable alternative: I've set up URL forwarding at my dynamic DNS provider which should redirect all incoming traffic on port 80 except when a renewal/challenge is started internally. – Looks like it works as expected…
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.