Self-hosting
Let simple-acme answer HTTP validation request
| Plugin type | HTTP validation | |
|---|---|---|
| Download | Built-in | |
| Compatibility | All platforms |
Description
This plugin launches a temporary built-in web listener that stores the validation response in memory. It can share port 80 with IIS and other (Microsoft) software so this doesn’t interfere with regular traffic. Not all software supports this port sharing feature though. If you get errors telling you that the listener cannot be started, try to (temporarely) shut down other processes using the port, or look for another validation method.
Non-default port
Even though Let’s Encrypt will always send validation requests to port 80, you may internally proxy, NAT or redirect that to another port. Using the command line switch you can tell the plugin to listen to a specific port.
Firewall exemption
Obviously, whichever port is used will have to be accessible from outside, meaning
your firewall(s) will have to permit access. Unfortunately due to the use of the
port sharing mechanism, it’s not possible to configure the Windows Firewall with
a rule for a specific application (i.e. wacs.exe), so you will have to open the
port to System. If you feel that is too generous, you could automate enabling/
disabling this rule by running a script before and after the validation starts,
using the settings described below.
Errors
If the handler is unable to start you may first try to test which process is using
the port using Powershell Get-Process -Id (Get-NetTCPConnection -LocalPort 80).OwningProcess.
It’s also possible that some software has blocked access, which can be diagnosed using
the command netsh http show urlacl.
Command line
--validation selfhosting |
Activates the plugin | |
|---|---|---|
‑‑validationport |
Port to use for listening to validation requests. Note that the ACME server will always send requests to port 80. This option is only useful in combination with a port forwarding. | |
‑‑validationprotocol |
Protocol to use to handle validation requests. Defaults to http but may be set to https if you have automatic redirects setup in your infrastructure before requests hit the web server. |
Examples
| Typical | --validation selfhosting [‑‑validationport 8080] [‑‑validationprotocol https] |
|---|
Settings
Execution.DefaultPreExecutionScript |
Path to a script that is executed before renewing a certificate.
This may be useful to temporarely relax security measures, e.g. opening port 80 on the firewall. Paths should be JSON-encoded, e.g. Default: undefined |
|
|---|---|---|
Execution.DefaultPostExecutionScript |
Path to a script that is called after renewing a certificate, this may be useful to undo any actions taken by the script configured as the DefaultPreExecutionScript. Not to be confused with the script installation plugin. The difference is that the installation plugin can be configured separately for each renewal and has access to a lot more context about the new and previous certificates. Also when the installation script fails, the renewal will be retried later. That is not the case for the pre/post execution scripts. Any errors there are logged but otherwise ignored.
Paths should be JSON-encoded, e.g. Default: undefined |
JSON
| ID | c7d5e050-9363-4ba1-b3a8-931b31c618b7 |
|---|
Settings
Execution.DefaultPreExecutionScript |
Path to a script that is executed before renewing a certificate.
This may be useful to temporarely relax security measures, e.g. opening port 80 on the firewall. Paths should be JSON-encoded, e.g. Default: undefined |
|
|---|---|---|
Execution.DefaultPostExecutionScript |
Path to a script that is called after renewing a certificate, this may be useful to undo any actions taken by the script configured as the DefaultPreExecutionScript. Not to be confused with the script installation plugin. The difference is that the installation plugin can be configured separately for each renewal and has access to a lot more context about the new and previous certificates. Also when the installation script fails, the renewal will be retried later. That is not the case for the pre/post execution scripts. Any errors there are logged but otherwise ignored.
Paths should be JSON-encoded, e.g. Default: undefined |
Looking for win-acme?
simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.