Bind to specific interface

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:

It produced this output: certbot certonly --standalone -d -d

My web server is (include version): ubuntu 18.04

The operating system my web server runs on is (include version): apache2.4

My hosting provider, if applicable, is: contabo

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, pure ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.13.0

I have a webserver with a lot of container running and all binds to internal interfaces of webserver. The external proxy bind to the public interface. The webroot and dns is not an option.
I can stop the reverse proxy but the stopping the containers is forbidden. Thus the certbot fails to bind 80.
How can I specifiy the interface/IP address to bind the certbot?
Thank you for your help!

1 Like

Please explain how the reverse proxy is configured.
[Does it listen on the external interface (IP) and then proxies those requests to internal systems]

If certbot is being run on a system that already has something running on port 80, then you are not stopping the right web service.
And if you can't stop that web service, then why can't you use --webroot there?
Assuming you can't do either of those and must have certbot run, in --standalone mode, on a system that already has something listening on port 80...
Then you can use:
--http-01-port HTTP01_PORT
certbot --standalone -d my.domain --http-01-port 9999

NOTE: That will NOT change the port being requested by LE to validate the HTTP request.
[So you will have to route the external port 80 to that internal port (9999 in the example)]

1 Like

Thank you for your answer!

The reverse proxy binds to external IP and the docker containers listens on the internal interfaces port 80. The requests are proxied to internal IP:80

There is only 1 server with multiple interface. Unfortunatly, the webserver config cannot be changed (pretty strict rules) and I have no control over DNS, so the only option is stop revproxy and get a LE.


Q1. Are those two talking about the same thing?

Q2. Do you control the reverse proxy?



Sorry, I haven't been clear about the configuration.
I have a VPS with 1 public IP address. The httpd is listening on this public address. Consider the webserver configuration read-only (changing it is a difficult business process)
Some of the websites has basic auth, so the .well-known has also has protection.
I have docker containers with 10.X.Y.Z static addresses . Each container runs an application with requires port 80.
When I stop the webserver I verify that the external IP address' 80/443 port is available, but the docker-proxy is still listening on the internal IP's so the certbot cannot listen to these addresses and gives an error.
My question is: how to bind to the external IP only to obtain the certificate (without stopping the internal containers and change the webserver config)
Q1: yes
Q2: yes, (changes requires meetings)

The standalone plugin will use the bind address specified by --http-01-address, if present.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.