Re: Certbot error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 4/22/23 14:17, Tim via users wrote:

On Sat, 2023-04-22 at 18:45 +0100, Patrick O'Callaghan wrote:

My understanding is that it needs port 80 for the initial token
negotiation to get the certificate to set up HTTPS. Requiring port 443
would be a circular dependency.


So far as I'm aware, that's not the case.  A HTTPS connection is made
completely over port 443.  The browser attempts to connect directly to
port 443, and negotiation for *how* to do that carries on over port
443.  To attempt to non-securely start this over port 80 would be
insecure.

And, testing that:  If I disable all port 80 connections, I can connect
to my webserver using HTTPS over port 443.

Their error message seems to indicate that *it* wants a connection
response from the webserver on port 80 with your site's domain name in
the response headers (to prove you own the site).  This seems to be a
bizarre requirement.  Possibly the cert checker needs programming
better, rather than Apache needing something done to it.

Nor should you really have to have a virtual host.  You could be a
webserver that you own totally and it only serves your website.  It
seems some oddball demands from the cert checker.

My thoughts are that cert testing should be done entirely over port
443.  Since that's how HTTPS works, the test should work the same way.
A HTTP transaction over port 80 wouldn't have any info about the HTTPS
certificate.
As Patrick said, using port 443 would be a circular dependency. There is no "testing" of the cert, this is for providing the cert. At this point, you don't have an SSL certificate, so it wouldn't work. The requester puts a token in the web server directory and then tells the certificate generating side to verify the token. To do that, it has to request that file from your domain and compare it to what the requester gave it. The requirements are that your domain name resolves to an address that points to the http server serving that file. There is also an alternative method where you put the token in a DNS entry instead. That's useful for when the cert is for a not publicly visible server. 
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux