Renewal of certificate using win-acme without port :80

Hello,

I'm here to ask maybe stupid question but i'm left without answers from previous IT guy and i never did anything with certificates . Thing is that we received mail telling that few of ours certificates will expire soon. I logged on server, checked that and saw that he was using win-acme to renew certs. Previous runs were ok but when i tried to run that , i got error 400, i know that my port 80 on that websites is blocked (and i somehow cant unlock that yet, so i want alternative) but 443 works fine, it will be okay if i will try to use DNS-01 or TLS-ALPN-01 instead of HTTP-01(which was the first option that he used to renew and create certs ) and that won't stop our IIS server from running, not completely but i don't want to stop them if there is an option(idk if site has to be reloaded on iis after renewing certs)?

You either need port 80 open (at least temporarily) or you need to use DNS validation. tls-alpn-01 only works on port 443 and will interrupt existing https connections while validation is running (as far as I know).

Port 80 blocks happen because:

  • Windows firewall doesn't allow it or is actively blocking
  • Your VM hosting doesn't allow TCP port 80, so it doesn't reach your server
  • Your corporate firewall blocks port 80 or doesn't forward port 80 to that server.
  • Something else (like apache) is already running on port 80, so nothing else gets to use it.

IIS and win-acme can share port 80, so you don't need to worry about that. There is no special security benefit to blocking port 80 if you don't offer any other services on port 80 anyway. Some people block port 80 'just because' to tighten security which is OK if everyone understands that's what's happening.

DNS validation is strong alternative to http validation. This works by updating your DNS with a TXT record every time the domain needs validated again and works around having to get http validation working.

1 Like

Interestingly http error 400 is Bad Request, which is quite different to a timeout.

Note also that win-acme in self-hosted challenge mode doesn't care about IIS, so you don't need your website to have an actual port 80 http binding in IIS.

[Edit: try a server restart first, windows firewall can be a bit flaky]

1 Like

Hey!
Thank You for Your answers. I managed to contact previous IT guy and finally he gave me connection data for our mikrotik router(that's why just firewall option didn't work) that has rule blocking port 80 and then http-01 worked perfect and painless ;D. Thank You once again for answers. Topic can be closed now .

1 Like