Automatic renewal of certificate fails because my HTTPS runs on port 4443

Hello fellow sysadmins,

I’m running a debian that I use as a web server with apache but also as a VPN server with openvpn.

Since both of these applications use port 443 i’m using the port-redirect option of openvpn which allow all trafic which is not linked to openvpn to be redirected to another port instead.

So i’m running my TLS website on port 4443 instead of 443.

Because of this the automatic renewal of certifcate by certbot fails because it’s only working on port 443.

So every 90 days when the certbot’s system timer task kicks in and wants to do a renewal it fails and also crashes my apache server at the same time.

Then i have to manually stop openvpn, set the apache ports back to 443, do the renewal, put the ports back to 4443 and start openvpn again.

Do you guys know if there is a way to solve this problem?

TIA for your help.

There are other possibilities to authorize your domain: http-01 and dns-01. Have a look at the webroot-plugin:

https://certbot.eff.org/docs/using.html#webroot

1 Like

Thanks for your answer bytecamp.

I can’t use http-01 since my web server runs TLS exclusively for security reasons.

I don’t understand how can i make the renewal automatic by using the dns-01 challenge if I need to manually modify my domain DNS for this to work.

There is a standalone webserver integrated into certbot, you don't need to open your webserver to port 80: User Guide — Certbot 2.7.0.dev0 documentation

One more thing: how does openvpn redirect https traffic? Is this transparent to the client, i.e. does it act like a proxy? Then, if openvpn already detects and redirects https traffic, I don't see any problem here.

1 Like

Openvpn redirects https traffic to another port so it’s not transparent, and since it’s not 443 the tls challenge fails with certbot.

I tried using standalone but it says that it cannot work because the ports are already in use, i guess by apache.

But anyway i managed to solve my problem by scripting what i was doing manually. This is how i got it done:

1°) disabled the certbot task in debian to stop it from running automaticly:

systemctl stop certbot.timer
systemctl disable certbot.timer
systemctl mask certbot.timer

2°) created a ports.certbotrenew.conf in apache2 with the default 443 ports inside

3°) created a script to do automaticly what i was doing manually:

#!/bin/bash

/etc/init.d/openvpn stop

mv /etc/apache2/ports.conf /etc/apache2/ports.save.conf
mv /etc/apache2/ports.certbotrenew.conf /etc/apache2/ports.conf

/etc/init.d/apache2 restart

certbot renew

mv /etc/apache2/ports.conf /etc/apache2/ports.certbotrenew.conf
mv /etc/apache2/ports.save.conf /etc/apache2/ports.conf

/etc/init.d/apache2 restart

/etc/init.d/openvpn start

4°) set execute rights to the above script with chmod +x and created a cron task to launch it every week.

Well, you wrote that your webserver runs on https only :wink:

One hint: instead of stopping your vpn and reconfiguring apache every week, you could use pre- and post-validation hooks. This way, your configuration would only change temporarily iff certificate renewal is due.

https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks

1 Like

My webserver runs only on https but I think apache is still using the port 80 to redirect people that use the non-https url to https :slight_smile:

Thanks for the suggestion about the validation hooks and for your help :slight_smile:

Have a nice day.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.