Failing PCI Scan for Port 80 being open for SSL renewal-can anything be done?

[shinomen]

We have this setup and working great! However, we have to have port 80 forwarded (I believe) in order for the Let's Encrypt SSL certificate to renew. We had a PCI compliance scan done by our credit card processor and they are flagging this as an open unsecured port. However, we have that port open so that we can get the SSL automatically when it's time to renew.
Is this a must to make the Let's Encrypt certificate continue auto-renewal with Nginx Proxy Manager or is there a better way to do this so that port 80 can be protected or closed?

[forestial]

You must have port 80 open for the default Let's Encrypt verification method to work. I think it needs to create a file on your server, which the LE server then attempts to read via http. There is no way to use a different port. In both of my implementations, the ISP was blocking port 80 anyway so I needed an alternative.

The alternative method for LE verification is what they call a "DNS Challenge" (see option in the Add SSL Certificate dialog). Depending on your DNS provider, you might need to create a TXT or CNAME record in your DNS to allow that to work. (I have done it twice; with a *.ddns.net domain I had to do that; for a *.DuckDNS.org domain I did not).

[shinomen]

Thanks for the reply. Yes I ultimately had to do the DNS challenge option (didn't realize that was an option) and once that was setup it works like a charm. On a side note, we have DNS with godaddy and I suppose something changed on their end with the DNS challenge so we had to update to the latest NPM version and after that, everything went as it should and I now have port 80 closed. I'm assuming it's going to auto-renew using the DNS challenge going forward but time will tell. Thanks! :)