The webroot issuing scheme needs for HTTP on port 80 where an ACME client e.g. cetrbot will create a folder /.well-known/acme-challenge/ with some files containing a challenge.
My app mostly uses HTTPS 443 port but some users may have old http bookmarks.Eventually I'll migrate them to https and just close the 80 port.
But I still need for opened 80 port just for the ACME challenge.
I wish to add a redirect from http to https but as far I understood this may break the ACME challenge.
I quickly searched and found that indeed there was such problems previously and peopls added a special rule to skip the redirect for /.well-known/acme-challenge/.
I don't know if this is still a problem so here is my questions:
Does LE verifier follows the redirect?
If the TLS cert is outdated will it still accept it and retrieve the challenge files?
Is it possible to make a verification just on the 443 port from beginning? So my app will use a snakeoil self signed cert, then after issuing a new LE cert will be used and on a renewal it shouldn't be a problem.
Not with the http-01 challenge, which always starts on port 80. But the tls-alpn-01 challenge does use port 443 exclusively. See Challenge Types - Let's Encrypt. And also the keep port 80 open documentation above, which links to a Community thread about clients supporting tls-alpn-01.
It depends on the acme clients you are using and your webserver type, but LE will follow the redirect so if your redirect is not rewriting the rest of the URL then it should be OK. You still need port 80 open for the initial redirect to take place.
LE will follow an invalid cert for validation, as far as I know.
There is tls-alpn-01 for port 443 only, but that's different to the http validation process.
If port 80 is a real problem then DNS validation is another option.
Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).
The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.