Comments (10)
kelunik
commented on May 23, 2024
1
Either way, I'm closing this now, as possible workarounds have been mentioned.
from acme-client.
kelunik
commented on May 23, 2024
This is a limitation by the ACME protocol, it only allows HTTP validation using port 80. Validating on other than the well-known ports 80 for HTTP might be a security issue with shared hosts that aren't configured properly, where anyone can open other ports.
There are other challenge types like SNI over port 443 or a DNS challenge, but those are not supported by this client.
What's the reason for not using port 80? Do you have (another) server running on port 80?
from acme-client.
ComputerTinker
commented on May 23, 2024
The reason we use a non-standard port on this server is because it's a QA server that's meant for use only by select clients, not the general public.
Looks like I'll have to find a client that supports the DNS challenge method. I see that the Perl client does, but it's giving me some errors when I try to install it... Anyway, thanks for the response.
from acme-client.
kelunik
commented on May 23, 2024
In that case you can just use the certificate of the primary server and you'll be fine. If you want a separate certificate, you can either use the primary web root for verification or redirect /.well-known/acme-challenge to the new port, but it'll be hard to differentiate. I'd just use the certificate you already obtained for the primary service running on port 80.
from acme-client.
ComputerTinker
commented on May 23, 2024
There is no primary server running on port 80, and port 80 isn't open in our firewall. The only server we have from our location is the QA server running on an alternate port. Once the code has been QA'd by the client we promote it to a production server which is hosted elsewhere.
from acme-client.
kelunik
commented on May 23, 2024
What's the reason to use a non-standard port then? Security though obscurity?
from acme-client.
ComputerTinker
commented on May 23, 2024
Yes.
from acme-client.
kelunik
commented on May 23, 2024
The hostname will anyway be public, because Let's Encrypt publishes all certificates in CT logs. Security through obscurity doesn't really add any security.
I think I'd propose to use port 80 / 443 and use something like basic auth for the client.
from acme-client.
ComputerTinker
commented on May 23, 2024
Yes, I know, I suggested that too, but it's not my decision. ;-)
from acme-client.
kelunik
commented on May 23, 2024
But in any way, you could just open port 80 purely for the challenges and not host anything there, works, too.
from acme-client.
Related Issues (20)
- Additional cert information like OU, Country etc. HOT 2
- Support for acme v2? HOT 7
- 0.3.0 Beta 2: Could not obtain directory: Crypto negotiation failed: Connection reset by peer HOT 15
- Auto command use single time only or need to fire cron every day? HOT 2
- Change email account HOT 8
- Error Delete folder acmet-client HOT 1
- syntax error with bin/acme HOT 9
- PHP Parse error: syntax error, unexpected '$command' (T_VARIABLE) in /path/to/bin/acme on line 160 HOT 4
- Update with installation composer. HOT 1
- Kelunik\Acme\AcmeException: Verification failed, please check the response body for HOT 7
- PHP Fatal error on any command except help and version. HOT 2
- not working anymore: Kelunik\Acme\AcmeException: Couldn't resolve the following domains to an IPv4 nor IPv6 record: HOT 1
- No response for 'domain.org' (MX) from any nameserver after 2 attempts HOT 10
- Amp\Dns\TimeoutException: No response for 'gmail.com' (MX) from any nameserver after 2 attempts, HOT 8
- Latest Let's Encrypt support HOT 1
- Cannot issue certificate by exception HOT 2
- Error in issuing certificates: "Failed to change owner" "Operation not permitted" HOT 5
- Support for wildcard certificates
- sends GET request to an account URL
- AcmeService Exception handling: Can't buffer() a payload more than once HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-client.