Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?

Get help with installation and setup problems
Post Reply
TrevorX
Posts: 6
Joined: Mon Aug 13, 2018 11:39 am

Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?

Post by TrevorX » Mon Aug 13, 2018 11:46 am

Hello,

We've just configured a TSPlus server's letsencrypt certificate successfully after opening port 80 to the TSPlus server, however we really don't want to leave this open permanently. Does the letsencrypt certificate registration process only require an open port 80 connection during the initial registration process, or every time it renews?

Thanks,

Trevor

IvanGB
Posts: 93
Joined: Sat Feb 06, 2016 2:26 pm

Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?

Post by IvanGB » Mon Aug 13, 2018 5:10 pm

Hi TrevorX.

I have been through this. Port 80 has to be open for the automatic update to happen.
If you close it, you have to regularly remember to open it, run the Free Certificate wizard and then close it back again.

Cheers.

Ivan

TrevorX
Posts: 6
Joined: Mon Aug 13, 2018 11:39 am

Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?

Post by TrevorX » Tue Aug 14, 2018 3:23 am

Hi Ivan,

Sorry, I did do a search, but maybe I didn't use the right terms?

Thanks for your reply. Is there any way to get the autorenewal process to work without having port 80 open permanently? I don't mind opening it once, but it becomes something of a target on a permanent basis.

Thanks again,

Trevor

IvanGB
Posts: 93
Joined: Sat Feb 06, 2016 2:26 pm

Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?

Post by IvanGB » Tue Aug 14, 2018 9:45 am

Hi Trevor.

Oh, you wouldn't find it over here in the forum, I guess. I found that out through the ticket system.

I feel your pain, I have the same concerns. I had hundreds of failed login atempts attacks through port 80. That's when I closed it, since I thought I didn't need it, and then got bitten by the certificate renewal. Now I keep it open, but I have been able to disable RDP forwarding on HTML5, which stopped most of it. Not sure if it fits your installation, but have a look at this FAQ:

https://support.tsplus.net/kb/faq.php?id=71

Hope it helps.

Cheers.

Ivan

juwagn
Site Admin
Posts: 239
Joined: Wed Oct 15, 2014 8:25 pm

Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?

Post by juwagn » Tue Aug 14, 2018 9:47 am

Hello,

it is required only each time you generate the certificate (each 2-3 month), just be aware to have it in mind, except that you can close the port 80.

Sincerely yours, JW.
TSplus HTML5 and Java web engineer

TrevorX
Posts: 6
Joined: Mon Aug 13, 2018 11:39 am

Re: Does letsencrypt Certificate Renewal Require Port 80 Opened Permanently?

Post by TrevorX » Wed Aug 15, 2018 4:46 pm

I've had that port open for a single day and that server has been absolutely bombarded with attacks, the endpoint protection system is sending alerts every few minutes. I'm shutting it down and we're going to look for another solution - leaving port 80 open permanently is utterly stupid.

Sort your house out, TSPlus. Mandating a permanently open port like this fundamentally undermines the security of your customers. There are much better ways to get letsencrypt autorenewal to work through APIs. This is just sloppy.

Post Reply