Let's encrypt whitout Port 80

letsencrypt

#1

Hi,

I don’t like the solution whit a open Port 80 for Let’s encrypt in case everyone will see our univention portal Site.
Is there a other solution to handle this.

Best Theo


#2

Let’s encrypt uses the ACME protocol. At the moment, ACME requires plain HTTP for the validation of the challenge (the proof, that you own the domain) during the process of the certificate creation:
https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.8.3

So, there is not really another solution. As a workaround, it might be possible to only allow network traffic on Port 80 during the renew process for the certificate via a little wrapper-shell-script that sets security/packetfilter/package/univention-apache/tcp/80/all to REJECT - but I did not test this for any side effects.
Another idea would be a reverse proxy that only allows access to http://{domain}/.well-known/acme-challenge/ but not to any other location on the webserver.


#3

@Grandjean

Thank you Michael sounds good, but have no idea how to setup this.
If there are howtos etc or tips I am open.

Best Theo


#4

As far as I can see the script /usr/share/univention-letsencrypt/refresh-cert-cron already has a workaround when https is forced by disabling the setting during cert refresh.
see also http://forge.univention.org/bugzilla/show_bug.cgi?id=43603


#5

Dear @ahrnke

thank you for your replay.
I read and reread the post from you link but don’t understand really how I can change this.
Sorry for my incompetence .

Do you have a solution for this?

Or any Idea about the script which Grandjean was talking about.

Best Theo


#6

The script which is called from cron to refresh the certs will

  • disable force_https if enabled and restart Apache
  • refresh the certificate
  • reset force_https to its old state

This means that from the systems perspective Port 80 is only opened during the runtime of /usr/share/univention-letsencrypt/refresh-cert which may be acceptable.


#7

Thank you @ahrnke

Can you help me to setup this, I think I have not the knowledge for this.

Best Theo


#8

@theodor.m
I am not sure anymore if I understood the problem correctly.

The most convinient way to prevent the usage of Port 80 is to force the redirection in Apache. In UCS this can be done using the apache2/force_https UCRV. While this does not close Port 80 it allows users to type the hostname or URL in the browser without prepending “https://”. As long as the most browser will use “http://” as the default or you are using the “HTTPS everywhere” or comparable plugin your users will get a timeout when they try just the hostname in case Port 80 is filtered.
The “Cool Solution” for Let’s Encrypt is now able to deal with the forced redirection as described above.
If you want additional security you can enable HSTS.
Everything else is making things more complex with just little extra security but the loss of convinience…

Finally:

This problem is IMO independent from Let’s encrypt and Port 80.
You can:

  • change the UCRV apache2/startsite
  • restrict access to certain sites using .htaccess and “Allow From …” rules.
    Both methods are already discussed here as well as the HSTS topic.

Best,
Dirk


#9

For your information. This problem still exists.
If status of bug https://forge.univention.org/bugzilla/show_bug.cgi?id=45449 is CLOSED FIXED the way to go would be:
ucr set apache2/force_https/exclude/request_uri/letsencrypt="/.well-known/acme-challenge/.*$"
Cheers


#10

Let’s Encrypt has been released as an app and is available in the Univention App Center. It allows for configuration via the UMC and can be used along with apache2/force_https by automatically configuring the exclusion rule Michel mentioned above since app version 1.1.0-8.
If you’re still interested in using Let’s Encrypt on an UCS system, I suggest giving it a try.


#11

Do I understand this correctly?

Initially I need to open port 80 to get the certificate. But after for the renewal it is not needed anymore and I can close port 80 again?

At least that what I did and now I have to wait till renewal time. :slight_smile:

Thanks