HTTPS ACME Monitoring

Port 80 vs Port 443: What Certificate Automation Changes

March 24, 2026 · 6 min read

Port 80 and port 443 are simple labels. The operational detail is how redirects, validation, certificates, and monitoring fit together.

Port 80 is the conventional port for HTTP. Port 443 is the conventional port for HTTPS. In modern production systems, port 80 usually exists to redirect users to HTTPS or to support specific certificate validation flows. Port 443 is where the protected service lives.

That simple distinction becomes important when you automate TLS. Certificate issuance, renewal, deployment, redirects, HSTS, and endpoint monitoring all touch these ports in different ways.

Port 80: redirect path and validation path

Many sites keep port 80 open only to redirect traffic to HTTPS. That is a good default for user traffic. It avoids broken bookmarks and gives clients a clean path to the secure endpoint.

Port 80 may also be used by ACME HTTP-01 validation, where an ACME client proves control of a hostname by serving a challenge response over HTTP. That does not mean the application itself should run over HTTP. It means the automation path needs enough access to complete validation safely.

Some environments avoid HTTP-01 and use DNS-01 or TLS-ALPN-01 instead. The right choice depends on network policy, wildcard needs, and who controls DNS. The key is to design validation deliberately, not discover at renewal time that port 80 is blocked and the certificate cannot renew.

Port 443: the endpoint that matters

Port 443 is where clients evaluate the certificate that your service actually serves. A certificate can be issued successfully and still fail operationally if the load balancer, web server, or reverse proxy continues serving the old certificate.

That is why monitoring port 443 matters. Checking an inventory record is not enough. You need an external signal that the live endpoint is reachable, serving the expected certificate, and renewing before expiry.

Where CertLocker probes fit

CertLocker probes monitor endpoints from the perspective that matters: the network path to the service. For a site like iis.certlocker.io, a probe on port 443 confirms that the HTTPS endpoint is up and under monitoring after certificate delivery.

That external probe complements the certificate lifecycle record. CertLocker can track issuance and audit events, while probes help confirm the deployed result. The combination catches the classic failure mode where the certificate renewed successfully but the serving endpoint did not pick it up.

Practical rules

  • Use port 80 for redirects and validation only when your ACME method requires it.
  • Monitor port 443 as the source of truth for what users and clients experience.
  • Test renewal paths before shortening certificate lifetimes.
  • Be careful with HSTS if subdomains or legacy services still have incomplete HTTPS coverage.
  • Track certificate delivery and endpoint health together, not as separate spreadsheets.

Related reading