Port 80 closed by default; open it just for Let's Encrypt autorenewals

SYSTEM INFORMATION
OS type and version: CENTOS 8

I have my firewalld set to block HTTP port 80.
I need to enable it everytime I renew my let’s encrypt certs.

Feature Request: open port when renewing, then close port.

If you don’t think this warrants a new feature, can you recommend how I can add something to do this?
What script triggers the auto renewal? I don’t see it on the cronjobs.

If you have your firewall blocking port 80, you are not complying with RFCs and disempowering the ‘next billion’ internet users from those underserved parts of the world which are not online 24x7 and depend on proxys and caches to offer internet content to people who use devices that are older and not powerful enough to support the latest encryption algorithms and protocols.

Why should the community support your effort to break the internet and make it easy to do so by adding a feature which makes Virtualmin a server management system which goes against the spirit of an ‘open and free’ internet?

I don’t understand why you block port 80? Nothing that I am aware will warrant to block port 80.

How does a feature to open a needed port if its not already open then returning it to its previous state affect anyone else’s setup?

Anyways, like I said in my original post, if its not suitable to add a feature, I’m simply asking for assistance in implementing it myself. That is my base question which has not been addressed. Where does virtualmin implement the auto let’s encrypt renewal?

@eng3,

Allow me to chime in (cause there’s so many things to do from a hospital bed) and echo what is already being said.

While it may seem were moving in the direction of complete TLS (aka SSL) not all products or access points fully utilize it initially making port 80 still a necessary part of the ecosystem.

In fact I’ll close by saying it’s only recent and very modern browsers which do employ internal redirect to https as a default and/or option.

So, while it may eventually be the recommendation, we’re not quite there. Just setup an http to https redirect server side for now if desired.

Basic security, run the minimum number of services (or open the least number of ports) needed. For my needs, I don’t need port 80.

@eng3,

Don’t get us wrong, @calport, @Whoops and I are merely educating you on why port 80 is still a necessary evil.

I too follow a rule “less is best” for the same security reasons, so your motivation is great. Just in this case closing port 80 could do more harm then good at least for the immediate future.

No one here is trying to give you a hard time :slight_smile:

@eng3,

Oh, got so wrapped up in the former point forgot to mention.

If you run DNS locally through Virtualmin, there is an alternative to doing Let’s Encrypt (LE) through port 80…

You can instruct it to use DNS verification. This should prevent the need for port 80 being open ever, assuming you really have no interest in having it open.

no I’m using cloudflare. Actually I think I have it set to always https.

To further justify what I’m doing, my host is pretty much entirely used for my own purposes so it doesn’t really affect anyone else by blocking port 80. I’ve had it closed for 6mo and the only issue it has caused is with let’s encrypt.

ANYWAYS, this is all a fun discussion, but back to my base question, does anyone know where/how virtualmin performs the let’s encrypt auto-renewal?

@eng3,

Fair enough.

*** It helps to lead with some of these details like Cloudflare usage. It helps your case. ***

In that case there really isn’t much of a good option ATM.

Are you a Pro or GPL user?