On 2025/04/05 08:42, Lyle Giese via mailop wrote: > Let's Encrypt requires (according to documentation I have seen) Port 80 TCP > be in use for verification. I have no other legit use for Port 80 on this > smart host and decided a long time ago, not to use Let's Encrypt for that > reason.
Besides the alternative DNS challenge type that you could use, the HTTP-01 challenge only requires that port 80 is running for the short time while the certificate is actually being renewed, only requires the simplest of HTTP daemons that can serve a static file, and can be automated nicely (handy in a world where we can expect to see the maximum allowed lifetime to be reduced). It's a lot simpler (and imho lower risk) than common alternatives used by other CAs for domain control verification (e.g. identify possible domain contact email addresses based on the domain name and SOA and require email+web browser actions - hopefully nobody is still doing whois-based lookups for domain contact emails after https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/) _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
