Page 1 of 1
Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?
Posted: Mon Aug 13, 2018 11:46 am
by TrevorX
Hello,
We've just configured a TSPlus server's letsencrypt certificate successfully after opening port 80 to the TSPlus server, however we really don't want to leave this open permanently. Does the letsencrypt certificate registration process only require an open port 80 connection during the initial registration process, or every time it renews?
Thanks,
Trevor
Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?
Posted: Mon Aug 13, 2018 5:10 pm
by IvanGB
Hi TrevorX.
I have been through this. Port 80 has to be open for the automatic update to happen.
If you close it, you have to regularly remember to open it, run the Free Certificate wizard and then close it back again.
Cheers.
Ivan
Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?
Posted: Tue Aug 14, 2018 3:23 am
by TrevorX
Hi Ivan,
Sorry, I did do a search, but maybe I didn't use the right terms?
Thanks for your reply. Is there any way to get the autorenewal process to work without having port 80 open permanently? I don't mind opening it once, but it becomes something of a target on a permanent basis.
Thanks again,
Trevor
Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?
Posted: Tue Aug 14, 2018 9:45 am
by IvanGB
Hi Trevor.
Oh, you wouldn't find it over here in the forum, I guess. I found that out through the ticket system.
I feel your pain, I have the same concerns. I had hundreds of failed login atempts attacks through port 80. That's when I closed it, since I thought I didn't need it, and then got bitten by the certificate renewal. Now I keep it open, but I have been able to disable RDP forwarding on HTML5, which stopped most of it. Not sure if it fits your installation, but have a look at this FAQ:
https://support.tsplus.net/kb/faq.php?id=71
Hope it helps.
Cheers.
Ivan
Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?
Posted: Tue Aug 14, 2018 9:47 am
by juwagn
Hello,
it is required only each time you generate the certificate (each 2-3 month), just be aware to have it in mind, except that you can close the port 80.
Sincerely yours, JW.
Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?
Posted: Wed Aug 15, 2018 4:46 pm
by TrevorX
I've had that port open for a single day and that server has been absolutely bombarded with attacks, the endpoint protection system is sending alerts every few minutes. I'm shutting it down and we're going to look for another solution - leaving port 80 open permanently is utterly stupid.
Sort your house out, TSPlus. Mandating a permanently open port like this fundamentally undermines the security of your customers. There are much better ways to get letsencrypt autorenewal to work through APIs. This is just sloppy.