Let’s encrypt certificate renew

Hi everyone, I’ve been using encrypt on nethserver for some time now. Shortly before the deadline, the nethserver script updates the certificate if necessary by connecting to port 80 http. I ask a simple question because I don’t know the processing mechanism well.
Upon renewal of the certificate can I use a redirect (dnat) of port 80 on 443 and make it permanent to avoid exposing the server to free-to-air connections? . Thanks .

Of course you can. Do you want to?

A NAT redirection? No, I don’t think that would work well–Let’s Encrypt tries to talk HTTP on port 80, and a NAT redirection would result in talking HTTP on port 443–that won’t work. But a standard HTTP 301 redirect will work just fine.

1 Like

The nethserver server is located downstream of the firewall.
Currently the configuration is as follows.
So changing only the destination of the door http 80 to 443 https as you can see from the image should it work without problems?

No, it will not. As I said, Let’s Encrypt needs to connect to your server via HTTP on port 80. If you block that as you’re currently doing, renewals using the standard Let’s Encrypt facility will fail. You can always use DNS validation, though.

Ok, so I seem to understand that I will have to leave the dnat 80> 80 http to renewal and it is not possible to effect the dnat 80> 443 as I would try to force a free connection on an https! Correct?