NetTalk Central

Author Topic: Proxy server for let's encrypt?  (Read 202 times)

jking

  • Sr. Member
  • ****
  • Posts: 430
    • View Profile
    • Email
Proxy server for let's encrypt?
« on: August 28, 2025, 11:21:46 AM »
Hello everyone,

     My IT Department has become very strict over the past few years.  Now they won't allow ports 80 and 443 to be "open to the public".  That creates a problem for my NT 14.30 server apps.  I have looked at DNS challenges, but that seems to require an account at DNSimple.  The domain I use is already registered at Network Solutions (Register.com).  I could register a new domain with DNSimple, but that would cost more money.
     So, I see a proxy tab that has a check box to "allow acme client to use proxy server".  If I can get the IT Dept. to create a simple proxy server that is isolated but has 80 and 443 open, would this work?  I'm thinking ports 80 and 443 would be open to the public on the "isolated" proxy server, which would handle the challenges, and then forward the cert and key to my NT server.  Is that how this might work?

Thanks,

Jeff King

rjolda

  • Sr. Member
  • ****
  • Posts: 389
    • View Profile
    • Email
Re: Proxy server for let's encrypt?
« Reply #1 on: August 29, 2025, 02:52:25 AM »
HI Jeff,
I am not 100% sure about this Proxy Server Stuff.  Anyway, to start off, the Security Certificate issuer needs to make sure that you control the DOMAIN NAME and are not posing as a bad actor.  TO do that, they have you write a message in the Index page header to show that you can control the domain.  There are other methods. Lets Encrypt writes a file to port 80 and then you must act on it - I don't know how, but you must do something to it and return it to show that you control the server.  This is what you CAN'T do because port 80 is blocked.  So, Bruce has an alternate method of verifying domain ownership using the DNS record.  Lets Encrypt is asked or given permission to do something with a record on your DNS domain registry which you then act on and it confirms that you own the DNS listing for your domain.  That being said, the DNS provider has to have the functionality available to allow Lets Encrypt to act on your DNS record.  That is why Bruce provides the name of a low cost DNS provider for which HE HAS WRITTEN the necessary interfaces.  SO, fetching your own certificates from Lets Encrypt won't work with ANY PROVIDER.   Now, I purchased my working domain from GoDaddy but I host it on a server in my office.  (Port 80 is blocked by ISP).  I purchase SSL from GoDaddy for this domain - costs $90.00 per year.  I simply take the SSL info and plop it onto my office server and it just keeps working.   So, you can do the same thing.  Purchase an SSL certificate from Network Solutions but it will be a little more expensive and plop it onto your server.  I have found that Network Solutions has become more difficult to work with over the years and I have moved away from them for that exact reason. 
SO, you have two viable choices to get your server up and make $$$$ as I see it:
1. Use DNSimple - will cost you maybe less than $100.00 per year .  It is fairly cheap.
2. Purchase an SSL Certificate from NetWOrk SOlutions which you can transfer to your server.  They already know that you own the domain because it is registered though them. (They will want to put it on a Network Solutions Server that you have purchased from THEM... I had to fight to get mine over to my server.  That was a few years ago. You plop the certificate on to your server and you are good to go. 
The standard SSL port is 443 and you would be able to use  https://jking.com   and folks would get to your secure site.   With port 443 CLOSED, you are going to have to pick another port - such as 800 and everyone will have to use http://jking.com:800 to get to your site.
Hope this gives you some perspective,
Ron