[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-list
Subject:    Re: Certbot error
From:       Tim via users <users () lists ! fedoraproject ! org>
Date:       2023-04-22 21:29:48
Message-ID: 532e1464accfcfa6534654cfd689747c1dd0085d.camel () yahoo ! com ! au
[Download RAW message or body]

On Sat, 2023-04-22 at 18:45 +0100, Patrick O'Callaghan wrote:
> My understanding is that it needs port 80 for the initial token
> negotiation to get the certificate to set up HTTPS. Requiring port 443
> would be a circular dependency.

So far as I'm aware, that's not the case.  A HTTPS connection is made
completely over port 443.  The browser attempts to connect directly to
port 443, and negotiation for *how* to do that carries on over port
443.  To attempt to non-securely start this over port 80 would be
insecure.

And, testing that:  If I disable all port 80 connections, I can connect
to my webserver using HTTPS over port 443.

Their error message seems to indicate that *it* wants a connection
response from the webserver on port 80 with your site's domain name in
the response headers (to prove you own the site).  This seems to be a
bizarre requirement.  Possibly the cert checker needs programming
better, rather than Apache needing something done to it.

Nor should you really have to have a virtual host.  You could be a
webserver that you own totally and it only serves your website.  It
seems some oddball demands from the cert checker.

My thoughts are that cert testing should be done entirely over port
443.  Since that's how HTTPS works, the test should work the same way.
A HTTP transaction over port 80 wouldn't have any info about the HTTPS
certificate.
 
-- 
 
NB:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the list.
 
The following system info data is generated fresh for each post:
 
uname -rsvp
Linux 6.2.8-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 22 19:14:19
UTC 2023 x86_64
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[prev in list] [next in list] [prev in thread] [next in thread]