Certbot Without Port 80

March 14, 2023

Is a web server still a web server if it has the HTTP port 80 blocked? A security team somewhere probably thinks so and has the web server reachable only on HTTPS port 443 for security. To install the LetsEncrypt certificates on the web server, the validation involves copying a certain file to a path within the public_html directory, followed by a validation by attempting to read that file on HTTP port 80.

certbot does provide some flexibility - we can choose a different method of validation… using DNS TXT records. Except that we cannot use the apache or nginx plugins and it has to be done manually, but at least it can be done:

    sudo certbot certonly --manual --preferred-challenges dns-01 -d <domain-name>

certbot prompts for creating the DNS TXT records, verifies them, and then creates files in the directory /etc/letsencrypt/live/<domain-name> :

    README
    cert.pem
    chain.pem
    fullchain.pem
    privkey.pem

LetsEncrypt also supported TLS-SNI-01 as a validation method in the past but it has been disabled since March 2019. Read more at: https://letsencrypt.org/docs/challenge-types/