Let's Encrypt (LE) and port 80

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Let's Encrypt (LE) and port 80

Tom Browder
Before LE came along, I tightened my single server down to redirect http to https. With LE I've been using the cert generation method where I stop Apache, create the required certs with a Raku program, and restart Apache.

Now with my new Apache 2.4.43 I'm ready to automate the process. Is there any way to allow port 80 access but only from an LE server?

The only time that would be needed, as far as I know, is when I first add a new domain and it obviously would not have a cert yet.

Thanks.

Best regards,

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt (LE) and port 80

Stefan Eissing
There is a module called "mod_md" which gets and renews certificates from LE. It's part of 2.4.43.

https://httpd.apache.org/docs/2.4/mod/mod_md.html
https://github.com/icing/mod_md

You do not need to have port 80 open to use it. It also works with port 443 alone.

Cheers, Stefan

> Am 17.06.2020 um 15:05 schrieb Tom Browder <[hidden email]>:
>
> Before LE came along, I tightened my single server down to redirect http to https. With LE I've been using the cert generation method where I stop Apache, create the required certs with a Raku program, and restart Apache.
>
> Now with my new Apache 2.4.43 I'm ready to automate the process. Is there any way to allow port 80 access but only from an LE server?
>
> The only time that would be needed, as far as I know, is when I first add a new domain and it obviously would not have a cert yet.
>
> Thanks.
>
> Best regards,
>
> -Tom


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt (LE) and port 80

Tom Browder
On Wed, Jun 17, 2020 at 08:11 Stefan Eissing <[hidden email]> wrote:
There is a module called "mod_md" which gets and renews certificates from LE. It's part of 2.4.43.
...
You do not need to have port 80 open to use it. It also works with port 443 alone.

Stefan, thanks. I've read a bit about mod_md but wasn't sure if I could add a new, certless domain. I'll try it, then.

Cheers!

-Tom
Reply | Threaded
Open this post in threaded view
|

RE: Let's Encrypt (LE) and port 80

Danny Mallory
In reply to this post by Tom Browder
You can just setup a global redirect on your 80 listener but exclude LE root path


RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]


Danny


-------- Original message --------
From: Tom Browder <[hidden email]>
Date: 6/17/20 8:06 AM (GMT-06:00)
Subject: [users@httpd] Let's Encrypt (LE) and port 80

Before LE came along, I tightened my single server down to redirect http to https. With LE I've been using the cert generation method where I stop Apache, create the required certs with a Raku program, and restart Apache.

Now with my new Apache 2.4.43 I'm ready to automate the process. Is there any way to allow port 80 access but only from an LE server?

The only time that would be needed, as far as I know, is when I first add a new domain and it obviously would not have a cert yet.

Thanks.

Best regards,

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt (LE) and port 80

Tom Browder
pOn Wed, Jun 17, 2020 at 09:55 dmallor <[hidden email]> wrote:

You can just setup a global redirect on your 80 listener but exclude LE root path
...

Thanks, Danny.

I've never used rewrites before, but that looks like a good idea. But which of the two solutions would you prefer?

What is the downside of blocking port 80 entirely since mod_md doesn't need it?

Using my wife as an example, when looking for a site she usually doesn't specify http[s?] at all--she just clicks on what Google shows her.  [:-(

Cheers!

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt (LE) and port 80

@lbutlr
In reply to this post by Tom Browder
On 17 Jun 2020, at 07:05, Tom Browder <[hidden email]> wrote:
>
> Now with my new Apache 2.4.43 I'm ready to automate the process. Is there any way to allow port 80 access but only from an LE server?

In addition to the other replies, you can use the DNS-01 method for establishing and rewriting a cert. That doesn't involved your Webserver at all (the methodology for doing this depends on your named server so is out of spec for this group).

<https://letsencrypt.org/docs/challenge-types/>

Most of the automation scripts for LE pretty much walk your through setting this up.

One other reason you might want to consider doing this is that DNS-01 allows for a wildcard certificate for the domain so instead of listing www.example.com and smtp.example.com and 47 others, you can just list *.example.com example.com and have a set for all possibilities.

In addition, DNS-01 gives you a lot more flexibility in what servers handle the renewals, allowing you to easily have a non-web servers run the renewal tasks and get the certs then distribute them to you web, mail, and other servers. This makes your certificate chain more secure because your public facing machine (www) is not the one that is configured to do renewal. Which means that getting into your authentication chain is much much harder.

Not making a suggestion, as this is harder to setup, but it is something to think about.

HTH



--
Train Station: where the train stops. Work Station: …



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt (LE) and port 80

Danny Mallory
In reply to this post by Tom Browder
I have never used that module and always preferred to keep 80 open purely for redirects (and LE)


Danny


-------- Original message --------
From: Tom Browder <[hidden email]>
Date: 6/17/20 11:20 AM (GMT-06:00)
Subject: Re: [users@httpd] Let's Encrypt (LE) and port 80

pOn Wed, Jun 17, 2020 at 09:55 dmallor <[hidden email]> wrote:

You can just setup a global redirect on your 80 listener but exclude LE root path
...

Thanks, Danny.

I've never used rewrites before, but that looks like a good idea. But which of the two solutions would you prefer?

What is the downside of blocking port 80 entirely since mod_md doesn't need it?

Using my wife as an example, when looking for a site she usually doesn't specify http[s?] at all--she just clicks on what Google shows her.  [:-(

Cheers!

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt (LE) and port 80

Tom Browder
In reply to this post by @lbutlr
On Wed, Jun 17, 2020 at 11:47 @lbutlr <[hidden email]> wrote:
On 17 Jun 2020, at 07:05, Tom Browder <[hidden email]> wrote:
...
Most of the automation scripts for LE pretty much walk your through setting this up.
...
Not making a suggestion, as this is harder to setup, but it is something to think about.

Thanks for the info--but all I'm only running a dozen or so hosts on a single server and trying to minimize maintenance.

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt (LE) and port 80

Tom Browder
In reply to this post by Danny Mallory
On Wed, Jun 17, 2020 at 11:50 dmallor <[hidden email]> wrote:
I have never used that module and always preferred to keep 80 open purely for redirects (and LE)
...

Thanks, Danny.

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt (LE) and port 80

@lbutlr
In reply to this post by Tom Browder
On 17 Jun 2020, at 16:37, Tom Browder <[hidden email]> wrote:
> Thanks for the info--but all I'm only running a dozen or so hosts on a single server

Same.

> and trying to minimize maintenance.

Zero maintenance. Set it up once and forget it. It is all automated.




--
'They're the cream!' Rincewind sighed. 'Cohen, they're the cheese.'



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt (LE) and port 80

Tom Browder
On Wed, Jun 17, 2020 at 18:11 @lbutlr <[hidden email]> wrote:
On 17 Jun 2020, at 16:37, Tom Browder <[hidden email]> wrote:
> Thanks for the info--but all I'm only running a dozen or so hosts on a single
...
Zero maintenance. Set it up once and forget it. It is all automated.

I wish I could use it (DNS-01) too, but it's difficult with my domain registrar (Namecheap).  Their APIs are xml, hard to use, and don't allow anything but tear all down and replace--too brute force for me at the moment.

I've gone so far as to look at changing DNS registrars but I haven't found one I like better so I'm stuck with it. 

I would love a good rec for a better DNS provider but I haven't yet found one that's cheap enough.

Cheers!

-Tom