Can't get certificate on Debian using certbot 0.22

I am trying to request a certificate for a webserver which is behind a Varnish caching proxy. Apache is available on port 81, however this port is not publicly available. Varnish is listening on port 80. I would rather not expose port 81 to the outside world.

In the past I could request certificates using the tls-sni-01 challenge. However it seems this challenge does not work anymore for new domains. I read this challenge was disabled for secutiry reasons but it seems it is re-enabled again? If possible I would like to use the tls-sni-01 challenge, as requesting (existing) certificates via this challenge works fine.

My domain is:

I ran this command:

certbot certonly --apache --cert-name -d

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

My web server is (include version):

Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version):

Debian GNU/Linux 9.3 (stretch)

I’m using the latest certbot:

certbot --version
certbot 0.22.0

My hosting provider, if applicable, is:

DNS is managed from, VPS is running from linode

I can login to a root shell on my machine (yes or no, or I don’t know):


I’m using a control panel to manage my site (no, or provide the name and version of the control panel):



Just wondering, did you setup any virtual hosts to Apache that listen on port 80 or 443?

You can use this handy guide to setup (if not done so):

A guide to use let’s encrypt with the system:

Thank you

Virtual hosts are set-up for Apache on 81 and 443, Varnish is in front listening to 80 and forwarding requests to 81.

Current vhost:

<VirtualHost *:81>

    # voor letsencrypt
    DocumentRoot /var/www/html

    # RewriteEngine on
    # RewriteCond %{REQUEST_URI} !^/.well-known/.*
    # RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=301]

    CustomLog    /var/log/apache2/ varnishcombined


edit: the .well-known directory is currently accessible:

curl -I
HTTP/1.1 200 OK
Date: Mon, 19 Mar 2018 16:09:08 GMT

Does it work it you add --http-01-port 81 to the certbot command?

1 Like

Yes; after opening up port 81 on the firewall, I could request the certificate. Thanks. :smile:

Is there anyway to use the tls-sni-01 challenge instead of http-01 challenge? This was used for previous certificates on the server I am working on, which save me opening up port 81. Though I noticed port 81 does not need to be open when running certbot renew --dry-run.

You shouldn’t need to open up port 81 externally. The validation server connects to Varnish on port 80, which connects to Apache on port 81; Apache serves the challenge response on port 81 and Varnish repeats it on port 80 to the validation server. Certbot just needs to know that it should tell Apache to respond on port 81, which is what the --http-01-port option does.

The tls-sni-01 challenge is only available in special circumstances, mostly for renewals using the same ACME account, so it’s unlikely you’ll be able to use it for a new certificate (but given the above, I don’t think you’ll need to).

1 Like

Ok, thanks for the clarification!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.