I’ve been reading through the ACME spec, and I noticed that HTTP validation MUST be done over port 80 (and 443 for https). Why is this? The important thing is that the ACME server connect to the correct IP for the server whose identity is to be validated. The port number would seem to be irrelevant. Having to connect to one of these standard web port numbers for validation is quite annoying as it obviously clashes with any existing web service on those ports; it would be more convenient if an admin could set up a custom port for this validation that didn’t require it to be integrated with the existing web service (something that is bound to be more complicated that just running a dedicated ACME client to respond on a custom port).
Does anyone know what the rationale was for requiring validation to be done over port 80 or 443?