Support for ports other than 80 and 443, v3

I did find there's aleady theads about this... such as..

Cox Cable blocks ports 80 and 443. If i don't rediect to 85 and 444 respectively connections can't be made to me.

Are you able to use the DNS challenge as a workaround?

In a world of shared hosting and port forwarding, validation over arbitrary ports is not safe. And adding any specific ports would still be a difficult debate to win.

The only other ports currently authorized by the Baseline Requirements are 22 (SSH) and 25 (SMTP).

For Let’s Encrypt’s purposes, changes in this area would probably also require changes to the ACME standard.

It’s not unimaginable for Let’s Encrypt to support 22 or 25 in the long term, or other ports in the even longer term, but it’s not going to happen soon.

3 Likes

as a workaound I can bypass the redirect, because the request is actually on a IPv6 through a tunnel…
though that doesn’t mean that the oiginal issue isn’t still an issue.\

What makes any port any moer or less safe than any other port?
Especially since I rarely get hits on non standard pots, theeby making them moe secuer.

The problem is that being able to listen on arbitrary ports doesn't prove you control a domain. That's why there's the concept of Authorized Ports in the BRs.

An easy example of this is the tens of millions of domains on shared hosting services like cPanel or Plesk. Lots of domains pointing to one IP. In many cases, it's possible for any user to listen on e.g. port 85, and suddenly be able to issue certificates for any one of hundreds of domains on that server.

1 Like

That all sounds like you’e backing that home users shouldn’t be able to host their own domains.
If the only option is 80 and 443, and those are unavailble, thee’s no way to be secue. And you’e not woking to emedy the poblem.

(Sorry I need to fix my R key it’s misbeaving)

The DNS challenge exists to address situations like yours (ports are blocked or server is behind a firewall). Have you considered using it?

That's actually the policy of your ISP.

2 Likes

You could always get a cert somewhere else.

On the contrary; but only you can force your ISP to allow a port through.
Stop paying them to block you.

DNS challenge is still an option. And using your own self-signed cert system is yet another option.

The "problem" seems to be that your ISP is blocking port 80 and 443.
If that were not the case, you would already have a certificate.
How can LE remedy that ISP induced problem?

Easy, LE can change its policies to accommodate every user-hostile ISP out there. Because that's totally their responsibility, right?

1 Like

It's important to note the "Baseline Requirements" are not LetsEncrypt policies, but the adopted policies of the association of Certificate Authorities. LetsEncrypt can't change these policies; if they decided to not follow the policies, their certificates would be revoked from Browsers and Operating Systems.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.