Question: About `ACMEIssuer.AltTLSALPNPort` parameter

[mritd]

What is your question?

What does the ACMEIssuer.AltTLSALPNPort parameter do?

What have you already tried?

I've been using the certmagic library for a long time, but I've always used DNS challenges to request certificates; I'm looking for a different way to request certificates that bypasses 80/443 listening.

I briefly checked the RFC document, and RFC8737 clearly states that port 443 must be used.

But I saw this parameter in the code, and it can not be set to port 443, I did not fully understand the role of this parameter.

Bonus: What do you use this package for, and does it help you?

I used it to apply for ACME certificates for some internal services that cannot be exposed on the public network; I even created a small tool(dnsacme) to automate some of the work.

[francislavoie]

It changes the port that would be used on the server for listening for TLS requests. It's only useful if you need to listen on a non-standard port (e.g. 8443 because you don't have sudo and can't bind to low ports) while mapping incoming connections on 443 to that port (using router port forwarding from 443 -> 8443, for example).

In other words, no, this isn't useful for accepting TLS-ALPN challenges on a non-standard port, it's just a way to control the listeners created automatically by certmagic.

[mritd]

I understand, this parameter just tells CerMagic which port it should listen on, but port 443 will still be requested for the acme challenge;

The difference is that this is to put the CertMagic application behind the firewall, we can use port 443 externally Traffic is mapped to the AltTLSALPNPort.

[mholt]

Yeah, the external port must still be 443. If you forward or map port 443 to something else like 8443 with your router or firewall then you'd put 8443 as the AltTLSALPNPort.