Cerbot Renew Issue over Custom Port

I’m currently using the following command to generate cert requests in a scripted fashion:

certbot certonly --standalone --preferred-challenges http --http-01-port 44344 -d my-domain-name.com

I’ve been trying to run a renew using the same flags:

certbot renew --standalone --preferred-challenges http --http-01-port 44344

But i’m getting the following response:

Domain: www.my-domain-name.com
Type: unauthorized
Detail: Invalid response from https://www.my-domain-name.com/.well-known/acme-challenge/A0l5Fi3a3CKSWOnYCeZqpz9cW8k4ndEJSseCoPDKFP8 [2600:3c00::46:7001]: “\n<html lang=“en-US”>\n\n\t<meta charset=“UTF-8”>\n\t<link rel=“profile” href=“https://gmpg.org/xfn/11”>\n\t”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.my-domain-name.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.my-domain-name.com/.well-known/acme-challenge/A0l5Fi3a3CKSWOnYCeZqpz9cW8k4ndEJSseCoPDKFP8 [2600:3c00::46:7001]: “\n<html lang=“en-US”>\n\n\t<meta charset=“UTF-8”>\n\t<link rel=“profile” href=“https://gmpg.org/xfn/11”>\n\t”

Calling registered functions
Cleaning up challenges
Stopping server at :::54345…
Attempting to renew cert (my-domain-name.com) from /etc/letsencrypt/renewal/my-domain-name.com.conf produced an unexpected error: Failed authorization procedure. www.my-domain-name.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.my-domain-name.com/.well-known/acme-challenge/A0l5Fi3a3CKSWOnYCeZqpz9cW8k4ndEJSseCoPDKFP8 [2600:3c00::46:7001]: “\n<html lang=“en-US”>\n\n\t<meta charset=“UTF-8”>\n\t<link rel=“profile” href=“https://gmpg.org/xfn/11”>\n\t”. Skipping.
Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.my-domain-name.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.my-domain-name.com/.well-known/acme-challenge/A0l5Fi3a3CKSWOnYCeZqpz9cW8k4ndEJSseCoPDKFP8 [2600:3c00::46:7001]: “\n<html lang=“en-US”>\n\n\t<meta charset=“UTF-8”>\n\t<link rel=“profile” href=“https://gmpg.org/xfn/11”>\n\t”

It looks like it might be ignoring that port on the renewal requests. Any idea on how to make the renewal work?

Thank you in advance!

CA only authorized to use specific ports (80/443/22/25) by baseline requirement, you have to be able to answer challenge by real webserver(but will follow redirects) to get cert by http-01 challenge.

In addition to @orangepizza: the --http-01-port option exists for situations where the external port 80 might be mapped by a home NAT router or something to a different port on the server. It’s a local setting only. It doesn’t tell the ACME server on which port to connect to, it only tells the client on which port to listen.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.