Is it possible to do the challenge with a different port?

Maxiride · January 23, 2020, 1:47pm

I am currently in the same situation of Arand as he described it here “How to do the challenge with a different port?”

Currently, external ports 80 a and 443 are forwarded to a VM running an Apache webserver. The situation on this machine is a bit itchy and led to the creation of a new VM which I administer.
An external company which in turn administers the IT infrastructure and firewall forwarded to my VM two external ports (let’s say 8080 and 8081) that I can supposedly use for HTTP and HTTPS.

The VM I am running is a blank slate so I can run caddy and bind it to ports 80\443 of the VM.

Issue is that by default caddy, following the Let’s Encrypt procedures, tries to make the challange on external ports 80 and 443 which, in this scenario, are forwarded to the Apache VM.

I’d like to know if the situation changed from 2017 when the above post was made, if not I’d like to understand better how I could proceed.

What I have already tried

As of now I run a home server for my own personal purposes and to make an application live and running asap I made the following:

Caddyfile on my home server:

subdomain.mydomain.dev {
    proxy / companyip:8080 {
        transparent
    }
}

Caddyfile on company VM I administer — remember, above I point to the company public IP port 8080 because that port is forwarded to port 80 on the VM, so here I listen to port 80:

:80
    root /var/www/myapplication

Clear downside is that the application is reachable at subdomain.mydomain.dev instead of subdomain.companydomain.tld

Notes

If you can have that one machine forwarding traffic from 443 to your Caddy host instead, you’re golden - just disable the HTTP challenge with -disable-http-challenge to force LetsEncrypt to use TLS-SNI.
As suggested in the mentioned post I can’t do this as that Apache machine is kinda locked down and it seems that dialogue with its administrator is a dead end.

I am fine in using the tls directive and specifying the cert\perm files, I’ve also looked into certbot to obtain the certificates but also that tool needs port 80.

matt · January 23, 2020, 3:23pm

You can change the internal ports Caddy uses to solve the challenges, but you can’t change the external ones; they have to be 80 and 443, so you either need to forward them to other ports or bind to them.

If you need Caddy to solve those challenges on ports other than 80 and 443 (but you’d still have to forward them), then you can set the http_port and https_port options: Global options (Caddyfile) — Caddy Documentation

Maxiride · January 23, 2020, 3:57pm

Thanks for the update, I hoped to be able to change the external ports on which the challange is done.

matt · January 23, 2020, 4:07pm

That is not possible, unfortunately. They’re hard-coded into the ACME spec. There is no way to tell the CA to use alternate ports.

You could use the DNS challenge, instead, which does not involve any connections to your server.

Maxiride · January 24, 2020, 8:53am

My DNS provider isn’t listed in the supported DNS providers. I guess I will have a talk to the IT guys who handle the firewall.

Maxiride · February 2, 2020, 8:33pm

I am bringing this thread up again, some things are not crystal clear to me regarding HTTPS.

I understand that:

Caddy (and Let’s Encrypt under the hood) must use ports 80\443 or DNS records to accomplish the challenge and receive a valid certificate.
Also Certbot, which allows to get valid certificates used Let’s Encrypt under the hood, hence the same issue on which ports ti use arise.

Nonetheless it happens to me to notice that several self-hosted applications serve their web interfaces using HTTPS on arbitrary ports, the browser doesn’t complain about unknown or untrusted certificates so I am wonder how it is accomplished.

So if the automatic caddy challenge can’t be done on alternate ports, are there other services I can use to obtain certificates to manually set in the Caddyfile?

matt · February 3, 2020, 5:36am

To clarify, this is only true by default (with Caddy) i.e. with the HTTP and TLS-ALPN challenges. You can configure the DNS challenge (for most major DNS providers) which does not require any external ports on your server. (Support in v2 is coming soon)

You can serve HTTPS applications on arbitrary ports with Caddy also. The ports the applications are served on have nothing to do with the ports required for the ACME challenges.

It can be done on alternate ports (for example: JSON Config Structure - Caddy Documentation) – but you have to forward packets from the standardized external port to your alternate internal port.

You can also manage certificates yourself/manually but that is not recommended: see JSON Config Structure - Caddy Documentation or tls (Caddyfile directive) — Caddy Documentation

system · May 3, 2020, 5:47am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.