Self-hosting

Let simple-acme answer HTTP validation request

Plugin type HTTP validation
Download Built-in
Compatibility All platforms

Description

This plugin launches a temporary built-in web listener that stores the validation response in memory. It can share port 80 with IIS and other (Microsoft) software so this doesn’t interfere with regular traffic. Not all software supports this port sharing feature though. If you get errors telling you that the listener cannot be started, try to (temporarely) shut down other processes using the port, or look for another validation method.

Non-default port

Even though Let’s Encrypt will always send validation requests to port 80, you may internally proxy, NAT or redirect that to another port. Using the command line switch you can tell the plugin to listen to a specific port.

Firewall exemption

Obviously, whichever port is used will have to be accessible from outside, meaning your firewall(s) will have to permit access. Unfortunately due to the use of the port sharing mechanism, it’s not possible to configure the Windows Firewall with a rule for a specific application (i.e. wacs.exe), so you will have to open the port to System. If you feel that is too generous, you could automate enabling/ disabling this rule by running a script before and after the validation starts, using the settings described below.

User access

By default only adminstrators are allowed to create these kinds of listeners. On Windows you can allow regular users to also do this by running netsh http add urlacl url=http://+:80/.well-known/acme-challenge/ user=myuser

Errors

If the handler is unable to start you may first try to test which process is using the port using Powershell Get-Process -Id (Get-NetTCPConnection -LocalPort 80).OwningProcess. It’s also possible that some software has blocked access, which can be diagnosed using the command netsh http show urlacl.

Command line

--validation selfhosting Activates the plugin
‑‑validationport Port to use for listening to validation requests. Note that the ACME server will always send requests to port 80. This option is only useful in combination with a port forwarding.
‑‑validationprotocol Protocol to use to handle validation requests. Defaults to http but may be set to https if you have automatic redirects setup in your infrastructure before requests hit the web server.

Examples

Typical --validation selfhosting [‑‑validationport 8080] [‑‑validationprotocol https]

JSON

ID c7d5e050-9363-4ba1-b3a8-931b31c618b7

Settings

Execution.DefaultPreExecutionScript Path to a script that is executed before renewing a certificate.

This may be useful to temporarely relax security measures, e.g. opening port 80 on the firewall.

Paths should be JSON-encoded, e.g. "C:\\" (note the double backslash).

Type: string
Default: undefined
Execution.DefaultPostExecutionScript Path to a script that is called after renewing a certificate, this may be useful to undo any actions taken by the script configured as the DefaultPreExecutionScript. Not to be confused with the script installation plugin. The difference is that the installation plugin can be configured separately for each renewal and has access to a lot more context about the new and previous certificates. Also when the installation script fails, the renewal will be retried later. That is not the case for the pre/post execution scripts. Any errors there are logged but otherwise ignored.

Paths should be JSON-encoded, e.g. "C:\\" (note the double backslash).

Type: string
Default: undefined

Looking for win-acme?

simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.