Hi there I am considering to put my Ispconfig panel on port 8080 behind VPN, just allowing specific IP to access port 8080. This will as far as I know cause issues with the Letsencrypt renewal. Is there any alternatives to fix this? Another quick question: Does Ispconfig support MFA/2-factor auth?
That makes the certificate invalid? What about the other certificates? My server is open for port 80 and 443. Im not sure what port Letsencrypt/Certbot use. I know there is other ways to validate with Certbot but I want to see if there is any options «built in» with Ispconfig. What are the security risks of having the panel exposed to the world?
The LE certs become invalid when they cannot be renewed within 30 days after 60 days i.e. after 90 days from the date of their issuance. So far, port 80 and 443 are the only needed ports to be opened for the purpose of issuing / renewing LE certs. Anyway, when a server is behind a NAT it behaves quite differently sometimes thus disabling the above mentioned LE check becomes necessary. It is up to you to expose your panel to public / world but to me it is very much safe.
Putting port 8080 behind a firewall does not cause any issues with Let's Encrypt renewals. For renewal, Let's Encrypt uses ports 80 and 443 only, so your system must be reachable on ports 80 and 443 from the internet. yes This is about the creation of new website certs only, this option disables a test to check if the domains really point to your server which can be blocked by certain NAT routers, it does not affect the renewal of existing certs (as the domains included in the cert do not get re-checked at that time) and it also does not affect the main SSL cert of the ISPConfig GUI (unless you use a website SSL cert for that).
