Required ports to run Let's Encrypt

bartlomiej.kania · June 14, 2017, 10:29am

Hi!

I have all ports blocked on my server and can just unblock specific ones. Could you please tell me which ports should I unblock to get Let’s Encrypt work?

Best regards,
Bart

Nekit · June 14, 2017, 11:04am

None if you can/want to use DNS-01 challenge, 80 if you want to use HTTP-01 challenge and 443 if you want to use TLS-SNI-01 challenge.

If you donʼt mind me asking, why do you want a certificate issued by a public CA if your server have all of its ports blocked?

bartlomiej.kania · June 14, 2017, 1:20pm

I mean the server out ports to handle all communications with Let’s Encrypt servers, not the server in ports.
So I have all out traffic blocked on the server and just need to unblock ports for Let’s Encrypt.

Regards,
Bart

danb35 · June 14, 2017, 2:38pm

The client software needs to make outbound connections to ports 80 and 443.

schoen · June 14, 2017, 6:17pm

Depending on the client software in question, I think potentially only 443. All of the ACME protocol itself runs over HTTPS. Maybe 80 is also useful for features like OCSP stapling?

mnordhoff · June 14, 2017, 6:27pm

Clients do at least one or two DNS queries as well. So they need to be able to access whatever the system’s configured resolver is, presumably on port 53. (Are there OSes where the standard networking libraries can be configured to use a different port? Does anyone do it?)

danb35 · June 14, 2017, 7:58pm

I thought I saw some http:// calls in dehydrated, but I could be mistaken. Thanks for the clarification.

lsabiiniok · June 20, 2017, 9:00am

Bart doesn’t think about outgoing traffic

The thing is that there is some incoming traffic needed to install letsencrypt using Certbot. Company security policy blocks Internet connection. It can be unblocked but we need to specify IPs and port numbers to hosts that certbot needs to communicate with to successfully install and renew certificates.

Or alternatively - find a way to import certificates without internet connection, using csr or sth

schoen · June 20, 2017, 5:54pm

Hi @lsabiiniok,

It sounds like you’re saying that you have a different situation in which you want to know what you need to allow for inbound connections in order to perform the validation.

As a matter of policy, Let’s Encrypt does not commit to using particular IP addresses for inbound validation connections, and may change or randomize these without any notice. Therefore, Let’s Encrypt-specific firewall rules are not supported.

You can use the DNS-01 challenge method to perform validations without allowing inbound connections. This involves making a requested change to your DNS zones, which some Let’s Encrypt clients can do automatically for some DNS providers. You can find out a lot more information about this method by searching on this forum.

system · July 20, 2017, 5:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Internet ports that Let's Encrypt uses for its renewal Help	3	5057	March 1, 2023
Let's Encrypt and Firewall rules Server	2	75139	September 4, 2016
Tls alpn challenge on non-standard https port (8080) Help	5	2512	April 11, 2019
Get Let's Encrypt Certificates With Blocked Ports by ISP Help	5	4442	October 4, 2017
How to use let's encrypt on application without apache server? Help	2	3326	September 13, 2020

Required ports to run Let's Encrypt

Related topics