Centos, Certbot, timeout, port 1194

Hello,

I want to run a VPN-Server behind a firewall using the openvpn Port 1194, and i try to get a certificate for that.
Thats the only port pointing to that machine from the Internet (at the moment).
I can connect through SSH from the Internet, but that access is locked to a few specific IP-Addresses.

I tried to read through similar topics but couldn’t really find a solution to my problem (my engish might not be good enough to filter relevant answers from other topics).

What I did / tried so far:

First I stopped the VPN-Server to free up the port (1194).
Then I tried to get a certificate from LE.

  • command:
    certbot certonly --tls-sni-01-port 1194
    (‘1: Spin up a temporary webserver (standalone)’)
  • Output:
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for enzian.vpn.eiskalt.at
    Waiting for verification…
    Cleaning up challenges
    Failed authorization procedure. enzian.vpn.eiskalt.at (tls-sni-01): urn:acme:err or:connection :: The server could not connect to the client to verify the domain :: Timeout

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: enzian.vpn.eiskalt.at
    Type: connection
    Detail: Timeout

Following tries with a webserver started (nginx) listening on 1194
(the webserver was accessable and responded with the standard page)

IMPORTANT NOTES:

  1. tried with http-01 instead of tls-sni-01

IMPORTANT NOTES:

It seems to me, as if this procedure (getting a certificate with certbot) needs two ports (80 and 443).
If this is the case, would it be possible to use port 1194 for http (with --http-01-port 1194) and port 44300 for https (with --tls-nsi-01-port 44300) as the ports 80 and 443 are not available (i don’t get them forwarded to my machine).
I am not in charge of the firewall, so i don’t want to try different options, cause i always have to ask others to change settings.
If ports below 1024 needed, I may be able to request forwarding from 81 and 444 (or something similar). The Administrator of the firewall is in general not too happy to open ports below 1024 to be accessable from everywhere from the internet. If ports below 1024 needed is there a possibility to limit access to an IP or IPrange?
Or do i have an error in the commands i tried to optain a certificate?

Kind regards
Oliver

Please fill out the fields below so we can help you better.

My domain is:
enzian.vpn.eiskalt.at

I ran this command:
more than one … listed above

It produced this output:
more than one … listed above

My web server is (include version):
nginx/1.10.2

The operating system my web server runs on is (include version):
Centos Linux 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes, but locked to specific IP-addresses

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

To use the TLS-SNI authenticator, the Let’s Encrypt servers must be able to connect to your server on port 443. To use the HTTP-01 authenticator, they must be able to connect on port 80. If neither of those is possible in your case, the third option would be the DNS authenticator, which requires updating your DNS records for certificate issuance and renewal.

1 Like

By the way, the reason these options exist is in case you have an external port mapping, like a router that forwards the public port 443 to internal port 1194. This has turned out to be a relatively common configuration. Per @danb35's explanation, it does not mean that you can choose the public port that the certificate authority will validate on.

Thank you danb35 and schoen.

This answer helps a lot.
Saved me from spending a lot of time trying to get it running on other ports than 80 and 443.
With this answer I might be able to convince the firewall admin to get port 80 (more likely) or 443.

I use LE on other machines already and it works perfect - but in those cases I am in charge of the firewall and port 443 points to the machine I need the certificate for.

kind regards
Oliver

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.