At the moment I am currently using Cloudflare as a way to provide SSL to my self-hosted site. The site sits behind a residential connection that blocks incoming data on commonly used ports including 80 and 443. It’s a perfectly fine and reasonable solution which does what I want. But I’m looking to try something different.
What I would like to try is using Let’s Encrypt on a non standard port. I understand there are plenty of good reasons not do this, mainly that some places such as workplaces may block higher number ports for security reasons. That’s fair but I am still interested in learning how to encrypt uncommon ports with Let’s Encrypt.
Currently I am using Nginx Proxy Manager to handle Let’s Encrypt certificates. It’s able to complete the DNS Challenge required to prove I own the domain name and handles automated certificate renewals as well. Currently I have NPM acting as a reverse proxy guiding outside connections from Cloudflare on port 5050 to port 80 on NPM. Then the connection gets sent out locally to port 81 which is the admin web page for NPM (I’m just using it as a page to test if the connection is secured).
Whenever I enable Let’s Encrypt SSL and try to connect to my site, the connection times out and nothing happens. I’m not sure if Let’s Encrypt is expecting to reach ports 80/443 or if there is something wrong with my reverse proxy settings that breaks the encryption along the way. Most discussions just assume ports 80/443 are open which is fair since that’s the most common situation. The few sites discussing the use of uncommon ports are either many years dated or people talking about success without sharing any details. I’m sort of at the end of what I can search at this point.
What I’m hoping to learn out of all this is how encryption and reverse proxies work together because those two things have been a struggle for me to understand as a whole throughout this whole learning process. I would appreciate it a lot of anyone had any resources or experiences to share about this.
I am doing exactly what you’re describing with the exception of nginx proxy manager. I personally could not get it working for me and prefer the control of manually configurating the proxy. Sometimes to my own stress.
I run home assistant and expose it to a non standard port. I use certbot to refresh my ssl cert and have never had issues.
How are you doing your verification? If you are using HTTP acme challenge then yes you must have the standard 80 port open for the verification to occur.
If you are using DNS verification, it does not require any port to open as your verification is done at the DNS provider.
I have Cloudflare DNS and do DNS verification.
For verification I used the built in certificate manager in Nginx Proxy Manager. I generate an API key from Cloudflare for a DNS zone:zone:edit key with the domain I am using. Then I chose DNS verification in Proxy Manager and put the API key in the edit box. This has been successful every time.
Do you use Cloudflare Tunnel or are you using Cloudflare as a Dynamic DNS? I’ve had issues with certbot but I think I just wasn’t using it properly, what process did you use for DNS verification?
I’m using Cloudflare DNS. What do you mean by dynamic DNS?
I don’t use tunnel or anything other than just Cloudflare DNS
I don’t know how proxy manager works but if it’s just an abstraction of certbot, then all you need to give it is your domain name and your Cloudflare API key.
You should check to see if it requires a global API key. Proxy manager may not have been updated to use the more secure zone API key.