Using port 443 for renewal after TLS-SNI is disabled

JuergenAuer · January 19, 2019, 11:10am

you have really an open port 80:

Domainname	Http-Status	redirect	Sec.	G
• http://pandora.nlcv.bas.bg/
195.96.252.66	307	https://pandora.nlcv.bas.bg/	0.083	A

• https://pandora.nlcv.bas.bg/
195.96.252.66	403		1.864	M
Forbidden

• http://pandora.nlcv.bas.bg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
195.96.252.66	307	https://pandora.nlcv.bas.bg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	0.083	A

• https://pandora.nlcv.bas.bg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	404		1.403	A
Not Found

This is enough to use http - validation. The last http status 404 is wonderful.

And closing port 80 isn't good:

Why closing port 80 is bad for security

Topic		Replies	Views
What you need to know about TLS-SNI validation issues API Announcements	1	60891	January 18, 2018
Cannot upgrade certbot on ubuntu 17 Server	5	3856	February 23, 2019
Existing certs from TLS-SNI-01 to HTTP-01 manually- or automatically done Help	9	4275	March 15, 2018
Certbot Auto renew without HTTP and without TLS-SNI-01 Help	9	3528	February 12, 2018
Upgraded certbot renew --dry-run shows it still using tls-sni-01 unless overridden Help	5	2923	February 19, 2019