Den sön 4 juni 2023 kl 17:57 skrev Ronald Heggenberger <ronald.heggenber...@docoscope.com>: > Well, when you run the step-ca as a non-root user (which is the default > config for the package) you cannot use the default TLS port (443) - > hence 8443 for the step-ca service.
Before adding parsers and whatnot to allow for non-https ports, are we really sure that the ACME give-you-a-cert service will accept a random port here? There is some level of validation that you are in fact in control over this FQDN if you can run a server on port 80 or 443, whereas any random user/pid with an account could be claiming to be the host admin and open whatever random high-numbered port and do nasty things. In your case, doing a pf redirect should be an easy solution for not running as root and that is all well and fine, but do make sure that before changing acme url parsing, you are certain that non-web ports are actually allowed for cert acquisition and renewals. -- May the most significant bit of your life be positive.
