Certbot letsencrypt on different port than 443

jairunet · March 12, 2022, 2:45am

I ran this command: $ sudo certbot --nginx -d kumolink.ddns.net -m kumopeer@gmail.com --agree-tos --tls-sni-01-port 15443 --http-01-port 15080

It produced this output:

usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --tls-sni-01-port 15443

My web server is (include version): 1.18.0-0ubuntu1.2

The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

Thank you very much in advance for any suggestions.

MikeMcQ · March 12, 2022, 3:21am

Welcome to the community @jairunet

The error message seems clear enough. There is no such command line option. See the docs here.

But, why do you even need a different port? I see ports 80 and 443 open and your nginx server responds on both. What I mostly see wrong is the cert you send for https request to kumolink.ddns.net is for the domain jairunet.ddns.net.

Can you explain what you are trying to accomplish?

griffin · March 12, 2022, 3:36am

Welcome to the Let's Encrypt Community, Jair

Per Challenge Types - Let's Encrypt :

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

That said, the parameter you are using for certbot to change the HTTP-01 challenge port will only allow you to specify a different internal port (inside of your network), not a different external port (outside of your network), which must be port 80.

You can use a tool like the following to see what is happening externally:

Why are you specifying ports for two mutually-exclusive challenge types? You can't perform both simultaneously.

griffin · March 12, 2022, 4:06am

Tagging @schoen and @_az:

Does --http-01-port cause the nginx authenticator to search for a non-port-80 server definition to "temporarily modify"?

_az · March 12, 2022, 4:09am

Yes, that's exactly what it would do.

rg305 · March 12, 2022, 5:46am

Except that certbot won't handle --tls-sni-01 (nor any other ACME client), as that has been removed from available choices.

Setting the --http-01-port is useful only when there is a NAT in place sending 80 to some other port.

Osiris · March 12, 2022, 8:17am

Or e.g. a reverse proxy sending all ACME challenge request to a non-port-80 port.

jairunet · March 12, 2022, 12:48pm

Hello @MikeMcQ / All,

Thank you very much for looking into my inquiry. Basically what I am trying to accomplish is to use nginx as a proxy for another nginx docker instance working with the bitcoin lightning network node Umbrel. I think this link explains it better: Installing the NGINX reverse proxy with an SSL certificate for Umbrel / BTCPay Server

But basically yes, I do have two hostnames registered in "no-ip.com" jairunet.ddns.net and kumolink.ddns.net both should point to the same dynamic public IP address, and because the docker instance part of the Umbrel lightning node stack is already using ports 80 and 443 I need to change the ports on which the proxy nginx will be listening. I hope that helps clarifying what my goal is or in the link probably is better illustrated.

Maybe what I am trying to do is not possible, but I was wondering if I could do that have the nginx proxy listed on the different ports other than 80 and 443.

Thank you very much again,

jairunet · March 12, 2022, 12:52pm

@griffin,

Thank you for the information I am going to check what options I have then, I will need to go back to the drawing board as I will need to change the current letsencrypt set up I have with another web app I already have in my home lab using letsencrypt on ports 80 and 443.

Sincerely,

9peppe · March 12, 2022, 12:55pm

You can host what you want on whatever port.

But the validation bots will only connect on port 80 (http-01) or port 443 (tls-alpn-01).

You can host nginx on another port. Let's Encrypt will not connect to it.

I would move the other software on another port and then access it through an nginx reverse proxy. (I would also bind the other software on localhost, so it's only accessible through nginx)

Also, that tutorial is not from 2021.

jairunet · March 12, 2022, 1:08pm

Hello @9peppe,

I see, understood, I will re-design what I want here as you say, have letsencrypt to work with the main nginx web browser and then use another nginx internally as proxy. I will need to design and test.

Thank you very much!

9peppe · March 12, 2022, 1:15pm

You don't need to use two nginxes. A single one can proxy whatever you want depending on SNI (the domain you call nginx with) and path.

jairunet · March 12, 2022, 1:19pm

@9peppe,

The reason I say two nginx servers is because there is one nginx installed on the host, and there is another one running on the Umbrel lightning node stack. This is basically what I was trying to set up: Installing the NGINX reverse proxy with an SSL certificate for Umbrel / BTCPay Server

Sincerely,

9peppe · March 12, 2022, 1:22pm

It only makes sense if the second nginx runs inside the docker container.

You can extend your current nginx reverse proxy (on ports 80 and 443?) to serve all other websites. All you need to do is add another server block with a different server_name. (And that will respond on the same IP but a different domain name)

jairunet · March 12, 2022, 1:25pm

Hello @9peppe,

This is kind of setting up a virtual host by domain? Can you point me to a tutorial / example if you know of one handy?

Thank you in advance,

9peppe · March 12, 2022, 1:30pm

Yes, it's a domain based virtualhost. Check the nginx documentation. But it's a pretty easy thing like

server {
  server_name example.com;
}

server {
  server_name community.example.com;
}

Then you put the settings for each domain inside the block (do you want root to serve files? proxy_pass to serve a docker container?)

jairunet · March 12, 2022, 1:35pm

@9peppe,

Excellent, will do. I have not done much work on reverse proxy nor web servers in a while, but I will definitely check the nginx documentation for the virtual host based on domain names.

I appreciate the valuable time and help.

Sincerely,

Valerione · March 29, 2022, 4:33pm

Hi @9peppe, I am Valerio new to letsencrypt.. I want say thank to everybody for the help.. I'd like to know if you solved problem cos I have the same ... I'd like to tell you that in an other situation I coluld run this comand .. with a raspi4 ..but now in a new installation linux ubunt on parrales I have the same you problem ... let me know if you find the issue ..Thank You Valerio

9peppe · March 29, 2022, 4:51pm

Open a new thread please.

system · April 28, 2022, 4:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.