Skip to content

Make it abundantly clear in docs that HTTP port must be exposed for LetsEncrypt to work

Created by: slimsag

Our documentation currently subtly implies that LetsEncrypt does not work without HTTP port being exposed, but we don't directly call it out. if you forget to do this, HTTPs will fail with obscure errors such as:

http: TLS handshake error from 127.0.0.1:44200: acme/autocert: server name component count invalid
...
http: TLS handshake error from 127.0.0.1:45006: acme/autocert: server name component count invalid
...
http: TLS handshake error from 10.240.0.16:41012: 429 urn:acme:error:rateLimited: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
http: TLS handshake error from 10.240.0.18:17906: acme/autocert: missing certificate
http: TLS handshake error from 10.20.1.1:38864: acme/autocert: missing certificate

Or with curl:

$ curl -k https://localhost:3443
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

We should:

  1. Make our docs clearly state `LetsEncrypt will not successfully work unless the HTTP port is also publicly exposed to the internet. You can set to ensure HTTP is always redirected to HTTPS after LetsEncrypt is configured, however.
  2. Explicitly mention the above errors somewhere, so that googling for them + Sourcegraph turns up relevant results.