Se på Dansk

    Auf Deutsch ansehen

    Ver en español

    Katso suomeksi

    Voir en Français

    לעבור לעברית

    Megtekintés magyar nyelven

    Visualizza in italiano

    日本語で表示する

    한국어로 보기

    Просмотреть на русском

    Visa på svenska

    Переглянути українською

    Xem bằng tiếng Việt

    使用简体中文阅读本网页。

    使用正體中文閲讀本網頁。

    Last updated: Jan 24, 2019 | See all Documentation

    We occasionally get reports from people who have trouble using the HTTP-01 challenge type because they’ve firewalled off port 80 to their web server. Our recommendation is that all servers meant for general web use should offer both HTTP on port 80 and HTTPS on port 443. They should also send redirects for all port 80 requests, and possibly an HSTS header (on port 443 requests).

    Allowing port 80 doesn’t introduce a larger attack surface on your server, because requests on port 80 are generally served by the same software that runs on port 443.

    Closing port 80 doesn’t reduce the risk to a person who accidentally visits your website via HTTP. In normal circumstances, that person would receive a redirect to HTTPS, and their subsequent traffic will be protected. If that person was subject to an active MITM, the MITM would answer on port 80, so your site would never have a chance to answer “connection refused.”

    Lastly, keeping port 80 open in order to serve a redirect helps get people to the right version of your site (the HTTPS version). There are various situations beyond your control that might briefly land someone on the HTTP version of your site - for instance, automatic linkification in emails, or manually typing a domain name. It’s better for them to get a redirect than an error.

    Unfortunately, you might not have control over whether port 80 is blocked for your site. Some (mostly residential) ISPs block port 80 for various reasons. If your ISP does this but you’d still like to get certificates from Let’s Encrypt, you have two options: You can use DNS-01 challenges or you can use one of the clients that supports TLS-ALPN-01 challenges (on port 443).