letsEncrypt with TLS Restricted Domain

[AustinH]

I recently acquired a .nexus domain simply because it sounds cool.  I wanted to use letsEncrypt with HAProxy to secure connections coming in from outside the house.  However, I couldn't seem to get letsEncrypt to play unless I bootstrapped it with a cert from somewhere else (ssl.com in this case).  Has anyone else tried using acme automation with a tls restricted domain?  Now that it is up and running will it have issues renewing when the time comes?  I have tried to google this but either google is bad or I don't know how to appropriately word my query.   I suspect it is a little column a, little column b.  Either way, any info anyone can share would be greatly appreciated.  I am willing to accept the answer "this is a bad idea and will always be difficult"

[Eigenvektor]

By TLS restricted domain, you mean your web server is configured to only accept incoming connections on port 443? You need to allow regular HTTP port Let's Encrypt to work. It should work with Let's Encrypt, only browsers should enforce HSTS for these domains.

[Levent]

use dns challenge to get verified.

[AustinH]

2 hours ago, Eigenvektor said:

By TLS restricted domain, you mean your web server is configured to only accept incoming connections on port 443? You need to allow regular HTTP port Let's Encrypt to work. It should work with Let's Encrypt, only browsers should enforce HSTS for these domains.

by tls restricted I mean the the DNS system as deemed that the .nexus domain must be used with https, not http allowed.

 

2 hours ago, Levent said:

use dns challenge to get verified.

I was under the impression that my registrar required a dns api to use that, correct?  Do you have a dns provider that offers free api access?

[Eigenvektor]

7 hours ago, AustinH said:

by tls restricted I mean the the DNS system as deemed that the .nexus domain must be used with https, not http allowed.

That's not how DNS works; not something it can do. DNS is like a telephone book. You send it a name, it gives you the corresponding IP address(es). That's it. It doesn't know or care what services live behind that IP.

 

The reason many .nexus-domains usually are "TLS only" is because they are part of browsers' HSTS preload list, which causes them to refuse to connect to these over HTTP. That's a choice these browsers make based on that list, not something enforced externally.

 

If your server listens on port 80 (or any other port), there's nothing that would prevent me from using DNS to look up your IP, then using something like cURL to connect to that IP on port 80 (or 25, or 636, or …). The only thing that could really stop me is if your hoster/ISP for some reason blocks these ports with a firewall.

 

In other words, Let's Encrypt can totally connect to your IP over port 80, determine that /.well-known/acme-challenge/<TOKEN> returns the expected response and issue a certificate. Let's Encrypt is entirely free to ignore HSTS policies. The only thing that requires is that your server listens on port 80 and no firewall blocks that port.

 

7 hours ago, AustinH said:

I was under the impression that my registrar required a dns api to use that, correct?  Do you have a dns provider that offers free api access?

You need the ability to set TXT-records. If you want to automate it (for Let's Encrypt), then yes some form of API endpoint would be needed.

 

By free you mean it should be included in the price you pay for their service already, I assume? Cloudflare supposedly provides API access that is compatible with Let's Encrypt.

[Bersella AI]

On 5/1/2026 at 6:50 AM, AustinH said:

by tls restricted I mean the the DNS system as deemed that the .nexus domain must be used with https, not http allowed.

AFAIK There's no option to enforce HTTPS on the DNS provider side. However, one may configure server-side Web apps to enforce it. In Apache for example, a file named .htaccess may be created in the site's root directory with the following contents:

<IfModule mod_rewrite.c>
RewriteBase /
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=301,L]
</IfModule>

Which means that connections to any port other than 443 (including 80) shall be redirected to port 443, so that HTTPS is enforced. Other engines like Nginx may also have their ways to enforce HTTPS, although I have yet to use them.