Join Log in
Score:0
llrs avatar Server

TLS certificate for non standard ports

us flag
llrs

We have a server (running on Ubuntu 20.04) accessible from a subdomain myserver.university.country, I would like to install SSL/TLS certificate on the server to make the connections to the server encrypted. This is my first time managing a server and when I asked around (boss, teammates) no one has the expertise to help.

We currently serve some websites that require login via some non standard ports (ie not 80 or 443, something like myserver.university.country:8687) not served via apache or other major server software (we use Shiny Server). Browsers show a not secure connection without a lock. We don't want the login credentials stolen or the information accessible to outsiders.

We are trying to use Let's encrypt via certbot to get certificates for our server. According to certbot documentation, this requires opening port 80 (which we don't want to be accessible).

The security team doesn't want to open port 80 to the whole internet, and wants to restrict access to certain IP range. In addition, they only want to open it for a brief period of time, which my understanding is that would prevent auto-renewing of the certificates. However, certbot doesn't specify a range and might use multiple IPs.

How can we make connections to our server secure (with free resources)?

I'm out of my depth and don't know how to properly configure the server for this and address the IT concerns.

44
0 + 0
ssl
in flag
Gerald Schneider
If you don't want to open port 80 your only option for Let's Encrypt is to use DNS challenges.
0
Reply
llrs avatar
us flag
llrs
Oh, I do want to open it and was considering to redirect it to the 443, but it is the IT that doesn't want it open. What is this DNA challenges ([this](https://letsencrypt.org/docs/challenge-types/)?)? A different way to validate the certificate ?
0
Reply
Score:2
John Mahowald avatar Server
cn flag
John Mahowald

Talk to the IT at your organization. Explain you want commonly trusted TLS certificates for your software stack. Provide Let's Encrypt as a suggestion, but try any other PKI issuing procedure they may have.

TLS (x509) certificates do not have a port number. As a generic transport application, TLS can wrap any protocol on any port.

However an ACME http challenge to get a cert must be over port 80. Presumably to confirm you have control over the host, and to simplify implementation by using the well-known port.

If port 80 is not an option, there is the DNS challenge. You would need a script to update a DNS record with the challenge value.

You have your choice of ACME client, and it can be scripted to fit your environment. Even so, you don't have to use Let's Encrypt, and your organization may have a different way to issue certificates.

0 + 0
llrs avatar
us flag
llrs
Many thanks. We'll talk to IT and explore other ACME clients.
0
Reply
Paul avatar
cn flag
Paul
DNS-01 does not require any special script, just access to change DNS records.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.