certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Changing the ACME http-01 challenge port for testing purposes

Open pcornelissen opened this issue 2 years ago • 4 comments

Discussed in https://github.com/smallstep/certificates/discussions/1007

Originally posted by sbszcz August 11, 2022 Hello there,

is it possible to change the ACME http-01 challenge port via some configuration properties for testing purposes?

I am asking because there seems to be a way because the step-cli tool offers the --http-listen parameter.

Thanks, Sebastian

pcornelissen avatar Aug 16 '22 06:08 pcornelissen

See also #835

tashian avatar Aug 16 '22 18:08 tashian

Hey @pcornelissen :wave:. Thanks for opening the issue!

Had a chance to discuss this with the team today. We're ok with introducing this feature, but only as an additional flag to step-ca that would also require a --insecure flag. So, something like step-ca --insecure --allow-non-standard-acme-port. Given those requirements, @maraino will update with prioritization.

dopey avatar Aug 17 '22 19:08 dopey

Thanks for the prioritization. What I don't get is, that the CLI is able to use a high port for the verification, when you create a certificate this way. How does it do that? The functionality seems to be there, but it's just hidden/undocumented

pcornelissen avatar Aug 18 '22 07:08 pcornelissen

Hi @pcornelissen,

The reason the --http-listen flag exists, is so that the step CLI can serve the endpoint on another port if there's a reverse proxy or some other system listening on port 80. The reverse proxy should then forward the incoming request from the CA to the CLI listener. This can be useful if you don't want to or can't run the CLI with root privileges, for example.

In the ACME protocol it is specified that port 80 MUST be used for the HTTP challenge:

   3.  Dereference the URL using an HTTP GET request.  This request MUST
       be sent to TCP port 80 on the HTTP server.

Adding the option to call out to a different port is thus not in line with the specification, but we're adding it with the --insecure flag to make it clear this shouldn't be used in a production environment. For testing purposes it should be OK. Please note that there's no way for the ACME client to specify on which port it can serve the challenge response, so when using this option, both step and step-ca need to be configured with the same port. This configuration also isn't generally portable to other ACME clients, unless they also provide an option to listen on another port. Beware though: the reason that option (most likely) exists, is the same as ours and shouldn't be used without a proxy or some different system in between!

hslatman avatar Aug 18 '22 07:08 hslatman