On Sat, Jan 14, 2017 at 1:05 PM, Stefan Sperling <s...@stsp.name> wrote: > On Sat, Jan 14, 2017 at 07:15:29PM +0100, Dirk-Willem van Gulik wrote: >> In fact - that may be a nice feature - an, essential, empheral port. > > Would that work for web servers behind firewalls?
Most configured in that scenario need pinholes. I'm not sure that a well known but non-root port would be considered sufficiently secure by the letsencrypt architects. Seems worth raising the original question, with your firewall scenario in mind, and let their architects ponder the idea. At the end of the day, only the one in control of those firewalls should be respected by letsencrypt as the owner of the specific domain. That's why the firewall is in front of their resources in the first place. Obviously the actual port number isn't a valid security restriction in the real world in the first place; there are plenty of ways to abuse a front end firewall/load balancer behind the lines, and many appliances and OS's don't require root or can be configured to permissively let other accounts listen on particular low ports, and as long as you are physically able to access the cables... but letsencrypt is not concerned with that. It's simply that they are able to validate that you are in some way in control of the target of the corresponding DNS A or AAAA records.