Certbot and ports confusion

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:oohkitchen.co.uk

I'm running node.js server on ubuntu20.04 (without nginX) I'm attempting to use SSL for the first time. I installed certbot with 'certbot certonly --standalone'

My node app server was set to ports 9080 (http)/9089 (https) for Dev and using these ports everything seemed to work. i.e. ssl works.

As i'm now entering production, I changed the node server ports to 80/443, which all seemed to work initially. About 30 minutes later, I start to see the following error:

Error: listen EADDRINUSE: address already in use :::80

I now understand certbot also using port 80, is this true because after running netstat -tulnp I could not see any reference to certbot ?

Tried the following command as I understand it stops certbot from using any ports:
'certbot -d example.com --manual --preferred-challenges dns certonly', two options appeared in shell. I tried both options but I was greeted with no TXT. What could be wrong ?


root@ubuntu01:/home/jetspace01# ss -tlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096* users:(("systemd-resolve",pid=549,fd=13))
LISTEN 0 128* users:(("sshd",pid=537445,fd=3))
LISTEN 0 4096* users:(("mongod",pid=949,fd=10))
LISTEN 0 128 [::]:ssh [::]:* users:(("sshd",pid=537445,fd=4))
LISTEN 0 511 *:https : users:(("node",pid=684244,fd=21))
LISTEN 0 511 *:http : users:(("node",pid=684244,fd=20))

1 Like

Welcome to the forum!

1 Like

Hi @Orange-100,

certbot --standalone does use port 80, but only during the moment that it's actually obtaining your certificate. It should not continue using port 80 at other moments.

Is it possible that you have some other process using port 80? Maybe you can try sudo ss -tlp (which is similar to your netstat command) to make sure.

1 Like

Was there anything listening on :::80 ?

1 Like

please show:
ps -ef | grep 684244

1 Like

Hi, Updated question with ss -tlp output. I cant see anything else on port 80. Perhaps when I changed the node app to use 80/443, at the same time certbot tried to use port 80. I remember trying to perform a test renew.

1 Like

root 684244 684162 0 09:06 ? 00:01:40 node /home/jetspace01/run.js
root 691971 683066 0 19:25 pts/0 00:00:00 grep --color=auto 684244

1 Like

This may need some clarification.

  • You first installed certbot
  • Then you ran certbot certonly --standalone

You can't run certbot in --standalone mode when anything else in using port 80.

1 Like

When I ran 'certbot certonly --standalone', my node server app was running on 8080(http)/8089 (https). I then changed these ports to 80/443 as Im going to production.

1 Like

You can either:

  • stop node.js from using port 80 while running certbot
  • find a working node.js --webroot and don't use the --standalone mode
  • create a specific path for the /.well-known/acme-challenge/ requests to be handled by node.js (and not use --standalone)

But they both can't use port 80 at the same time.

1 Like

But it doesn't necessarily seem like they're trying to...!

How can change --standalone mode ?
I tried to change to dns auth mode (as mentioned in post) but that does not work.

@schoen Maybe they were.

I think I have broken something now. Just tried to simulate the problem by attempting a renew with : certbot renew --dry-run and received errors :

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (oohkitchen.co.uk) from /etc/letsencrypt/renewal/oohkitchen.co.uk.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:

  • /etc/letsencrypt/live/oohkitchen.co.uk/fullchain.pem (failure)*

I was going to say that this is expected behavior when using --manual and an important reason not to use --manual if you can avoid it. (In particular, certbot renew doesn't work with --manual because certbot renew isn't capable of performing any human interaction, while --manual always requires human interaction unless you add the scripts it's referring to.) But I was hoping we could figure out what the problem with --standalone was!

1 Like

Can --manual use a cron job to renew certs?

That looks like it should have produced TXT records...
Maybe the order matter (not sure which version of certbot you have)
Try rearranging them:
certbot certonly --manual --preferred-challenges dns -d example.com

You can't automate an explicitly requested --manual process.

I asked because I was following this guide - https://flaviocopes.com/express-letsencrypt-ssl/ and it mentions using cron jobs with 'well-known/acme-challenge/' folder.
If its incorrect I can go back to --standalone and run my node app on non standard ports?

I think you misread their site.
They go through doing it --manual(ly) the first time.
But the renew doesn't include the verb --manual.
certbot is well capable of renewing certs automatically.
They are basically showing how to use the --webroot option.
[which can be used with or without --manual intervention]