Certificate Challenge
To issue a certificate from an ACME provider, the provider needs to verify the subject alternative names (SANs) that are used. To accomplish this, anynode uses the HTTP-01 challenge method.
The HTTP-01 challenge involves anynode creating a file that contains a random token and the fingerprint of your account key. This file is used to prove control over the website to the Certificate Authority (CA). The challenge specifies both the contents of the file and the URL where it should be created.
Once anynode informs the ACME provider that the file is ready, the ACME provider attempts to retrieve it, potentially from multiple vantage points and multiple times. If the validation checks receive the correct responses from anynode, the validation is considered successful, and anynode can issue the certificate.
It's important to note that the HTTP-01 challenge can only be performed on port 80. Allowing clients to specify arbitrary ports would introduce security risks, so this is not allowed by the ACME standard.
The HTTP-01 challenge requires port 80 to be open in your firewall so that the ACME provider can reach your system when needed. Port 80 cannot be used by any other program on the anynode machine with the selected interface IP address. The port will only be opened when a challenge is initiated for certificate renewal or a new certificate issuance.