Question regarding Lets Encrypt certificate

letsencrypt

(Uwe) #1

Hello friends,
I installed a Lets encrypt certificate on my Nethserver today. As described in the instructions, I have opened the port 80 in the FW. Does port 80 have to stay open from now on, or can I close it again? I do not like having the server open on the WAN. The certificate has been installed and it works fine as well.

Thank you and have a nice sunday.

Regards

Uwe


(Davide Principi) #2

The certificate is soon to expire and the certificate renewal procedure requires port 80 to work. So yes, you need that port open.

Search this forum for a different solution: use DNS based LE challenge, which better suits internal hosts.


(Dan) #3

As @davidep says, port 80 needs to be open for renewal as well with the default configuration. To avoid this, use DNS validation instead; here’s how you can do that:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers

Edit: Another option would be to run your own acme-dns instance. This takes a bit more setup, but you can do it with just about any DNS host. This trades one exposure for another–instead of port 80 being open to the world, it’s port 53. See here: