Very basic info on renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: balorda1.duckdns.org

I signed my certificate with acme-client and httpd on OpenBSD, listening only on port 80.

After signing, the certificate works like a charms on httpd listening on 443 (TLS).

A very basic question, for renewal: will httpd have to listen on port 443 (TLS)?

Or listening only on 80 will be enough?

/etc/httpd.conf would be:

server "balorda1.duckdns.org" {
        listen on 0.0.0.0 port 80
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
        location * {
               block return 302 "https://$HTTP_HOST$REQUEST_URI"
        }
}

Looking at the specific location block for the /.well-known/acme-challenge/* path without the redirect, your http-01 challenge should succeed with just port 80 open. So in theory, you could run your HTTPS on a different port.

Thanks, in fact, the initial signing worked only with port 80 listening.
I thought that renewals can work only with port 80 listening, and you confirmed me.

If you started getting the certificate with port 80, then yes indeed.

(There are also the tls-alpn-01 and dns-01 challenges which don't require port 80.)

I'm not expert on ACME RFC, I'm raising this question:

are tls-alpn-01 and/or dns-01 challenges needed for renewal?

Usually only a single challenge type is used.

1 Like

As Osiris says, usually only a single challenge type is used. Moreover, it will ordinarily (i.e., with most popular ACME clients using their default settings) be the same challenge type that was used to obtain the cert in the first place. So, if you originally got your cert using HTTP validation (which uses port 80), renewals will validate in the same way (which means port 80 will need to be open for that as well).

4 Likes

Thanks a lot!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.