Well, the custom port is not for the acme-client to expose the
http-challange,
but for the acme provisioner endpoint (the server creating and managing
the certs, in
that case "step-ca"), where acme-client itself requests the certificates
from.
But yeah, besides trying a pf forward for my case (I'll try that the
next days, when I'm
on-site to the servers) I believe that the acme-client should be able to
resolve
RFC compliant URLs.
-ronald
On 6/5/23 08:58, Janne Johansson wrote:
Den sön 4 juni 2023 kl 17:57 skrev Ronald Heggenberger
<ronald.heggenber...@docoscope.com>:
Well, when you run the step-ca as a non-root user (which is the default
config for the package) you cannot use the default TLS port (443) -
hence 8443 for the step-ca service.
Before adding parsers and whatnot to allow for non-https ports, are we
really sure that the ACME give-you-a-cert service will accept a random
port here?
There is some level of validation that you are in fact in control over
this FQDN if you can run a server on port 80 or 443, whereas any
random user/pid with an account could be claiming to be the host admin
and open whatever random high-numbered port and do nasty things.
In your case, doing a pf redirect should be an easy solution for not
running as root and that is all well and fine, but do make sure that
before changing acme url parsing, you are certain that non-web ports
are actually allowed for cert acquisition and renewals.
