You used to be able to complete challenges via port 443 (with plain HTTPS protocol), it’s just that there was quite a severe security vulnerable discovered, allowing people to create certificates for domains they don’t own, which made that practice untenable.
You can still use port 443 to complete challenges, but it requires implementing the TLS-ALPN challenge, which simply isn’t supported by the majority of e.g. Apache and nginx deployments.
Now that this side of the “argument/debate” is clear…
If you care to continue the discussion: What are you reasons for NOT wanting to use port 80 (ever)?
[no one hates HTTP more than I (^see my logo) - but I think we can come to some consensus here]
Single static IP address, port 443 goes to a private cloud server where people can upload documents securely. I would prefer that people can’t make connections to it by mistake using insecure protocol. I prefer to trust my firewall’s ability to just block port 80 than making sure that rewrite rules don’t have any holes. I also wouldn’t mind having a second web server for stuff that doesn’t need to be secure, e.g., family photos, blog articles, etc and then my firewall would route incoming port 80 connects to that second server.
And if you are super paranoid, you can send the port 80 connections to a separate system (not to the same one that does port 443).
Then proxy only the challenge requests from the “80 only system” to the “443 only system”.
If you are insane about security, then place an IPS between the “80 only system” and the “443 only system” to insure no funny business is going on.
If that still keeps you up at night… talk to my friends Jack and Johnny and the good o’le Captain.
I do not exactly understand these suggestions. I am having problems renewing an expired certificate. How do I integrate this into my configuration file? Mine looks quite different btw
return 301 https://nextcloud.somewhere.it$request_uri;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nextcloud.somewhere.it/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nextcloud.somewhere.it/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=20" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
I have tried many things but renewing fails every time. I do miss important background knowledge here I must admit, but I think it has to do with the expired certificate and renewing will not connect to port 443 without it?
Thank you very much for clearing that up. I have integrated the “location” line. Renewing certificate still does not work. What should I do? Server error is - Timeout during connect (likely firewall problem) - But my firewall has the “Nginx Full” program profile enabled, which opens ports 80 and 443. I THINK it has to do with the certificate for port 443 being expired is the problem, but I might be wrong about that. What steps could I undertake to troubleshoot?