ACME HTTP01 challenge on a non-80 port

driib · June 27, 2022, 3:42pm

1. Caddy version (`caddy version`):

v2.5.1

2. How I run Caddy:

caddy run with a Caddyfile

a. System environment:

macOS, caddy installed from brew.

b. Command:

caddy run

c. Service/unit/compose file:

n/a

d. My complete Caddyfile or JSON config:

{
	http_port 9080
	https_port 9433
	email email@example.com
	debug
	acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

somesubdomain.berezovskyi.me {
	file_server browse
}

3. The problem I’m having:

I have port 80 blocked by my ISP and brew refuses to bundle the Cloudflare plugin. I thought I need to install a custom build with xcaddy because @matt wrote that port 80 is a must for the http01 challenge. However, https://github.com/cert-manager/cert-manager/issues/2131#issuecomment-905300958= indicates that it indeed became possible to specify a port.

How could I get Caddy to send in the http_port as the “http-01-port” argument for the ACME challenge?

4. Error messages and/or full log output:

The well-known Timeout during connect (likely firewall problem).

5. What I already tried:

See above.

6. Links to relevant resources:

See above. ACME HTTP01 challenge on a non-80 port

francislavoie · June 27, 2022, 3:53pm

ACME issuers never make the challenge verification request on non-standard ports. The HTTP challenge is always on port 80, and the TLS-ALPN challenge is always on port 443. It’s impossible to change that.

It is possible to change what “HTTP” means from the perspective of Caddy, i.e. bind to a different port when HTTP is needed, but the point of that is so that you can have your router/firewall do 80 → 9080 and then your server accept requests on 9080.

This doesn’t help you in the situation where your ISP blocks that port, it’s moreso for when your server has problems binding to low ports for permission reasons.

If you’re using Cloudflare, consider using Cloudflare tunnels, which sets up a secure tunnel between your machine and Cloudflare, and Cloudflare will proxy requests through the tunnel to reach your server, bypassing your ISP’s blocking rules.

driib · June 27, 2022, 3:57pm

I see, thank you! Reading further, it was a false hope, as the certbot docs state:

--http-01-port HTTP01_PORT Port used in the http-01 challenge. This only affects the port Certbot listens on. A conforming ACME server will still attempt to connect on port 80. (default: 80)

Challenge Types - Let's Encrypt still states:

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

With that, I happily recompiled caddy and got the DNS challenge working instead. In case someone benefits from this:

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
xcaddy build  --output ~/opt/ --with github.com/caddy-dns/cloudflare

system · July 27, 2022, 3:43pm

This topic was automatically closed after 30 days. New replies are no longer allowed.