My domain is: kumolink.ddns.net
I ran this command:
$ sudo certbot --nginx -d kumolink.ddns.net -m firstname.lastname@example.org --agree-tos --tls-sni-01-port 15443 --http-01-port 15080
It produced this output:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certbot: error: unrecognized arguments: --tls-sni-01-port 15443
My web server is (include version):
The operating system my web server runs on is (include version):
Ubuntu 20.04.4 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
Thank you very much in advance for any suggestions.
Welcome to the community @jairunet
The error message seems clear enough. There is no such command line option. See the docs here.
But, why do you even need a different port? I see ports 80 and 443 open and your nginx server responds on both. What I mostly see wrong is the cert you send for https request to
kumolink.ddns.net is for the domain
Can you explain what you are trying to accomplish?
Welcome to the Let's Encrypt Community, Jair
Per Challenge Types - Let's Encrypt :
Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).
The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.
That said, the parameter you are using for certbot to change the HTTP-01 challenge port will only allow you to specify a different internal port (inside of your network), not a different external port (outside of your network), which must be port 80.
You can use a tool like the following to see what is happening externally:
Why are you specifying ports for two mutually-exclusive challenge types? You can't perform both simultaneously.
Tagging @schoen and @_az:
--http-01-port cause the
nginx authenticator to search for a non-port-80 server definition to "temporarily modify"?
Yes, that's exactly what it would do.
certbot won't handle
--tls-sni-01 (nor any other ACME client), as that has been removed from available choices.
--http-01-port is useful only when there is a NAT in place sending 80 to some other port.
Or e.g. a reverse proxy sending all ACME challenge request to a non-port-80 port.
Hello @MikeMcQ / All,
Thank you very much for looking into my inquiry. Basically what I am trying to accomplish is to use nginx as a proxy for another nginx docker instance working with the bitcoin lightning network node Umbrel. I think this link explains it better: Installing the NGINX reverse proxy with an SSL certificate for Umbrel / BTCPay Server
But basically yes, I do have two hostnames registered in "no-ip.com" jairunet.ddns.net and kumolink.ddns.net both should point to the same dynamic public IP address, and because the docker instance part of the Umbrel lightning node stack is already using ports 80 and 443 I need to change the ports on which the proxy nginx will be listening. I hope that helps clarifying what my goal is or in the link probably is better illustrated.
Maybe what I am trying to do is not possible, but I was wondering if I could do that have the nginx proxy listed on the different ports other than 80 and 443.
Thank you very much again,
Thank you for the information I am going to check what options I have then, I will need to go back to the drawing board as I will need to change the current letsencrypt set up I have with another web app I already have in my home lab using letsencrypt on ports 80 and 443.
You can host what you want on whatever port.
But the validation bots will only connect on port 80 (http-01) or port 443 (tls-alpn-01).
You can host nginx on another port. Let's Encrypt will not connect to it.
I would move the other software on another port and then access it through an nginx reverse proxy. (I would also bind the other software on localhost, so it's only accessible through nginx)
Also, that tutorial is not from 2021.
I see, understood, I will re-design what I want here as you say, have letsencrypt to work with the main nginx web browser and then use another nginx internally as proxy. I will need to design and test.
Thank you very much!
You don't need to use two nginxes. A single one can proxy whatever you want depending on SNI (the domain you call nginx with) and path.
The reason I say two nginx servers is because there is one nginx installed on the host, and there is another one running on the Umbrel lightning node stack. This is basically what I was trying to set up: Installing the NGINX reverse proxy with an SSL certificate for Umbrel / BTCPay Server
It only makes sense if the second nginx runs inside the docker container.
You can extend your current nginx reverse proxy (on ports 80 and 443?) to serve all other websites. All you need to do is add another
server block with a different
server_name. (And that will respond on the same IP but a different domain name)
This is kind of setting up a virtual host by domain? Can you point me to a tutorial / example if you know of one handy?
Thank you in advance,
Yes, it's a domain based virtualhost. Check the nginx documentation. But it's a pretty easy thing like
Then you put the settings for each domain inside the block (do you want
root to serve files?
proxy_pass to serve a docker container?)
Excellent, will do. I have not done much work on reverse proxy nor web servers in a while, but I will definitely check the nginx documentation for the virtual host based on domain names.
I appreciate the valuable time and help.
Hi @9peppe, I am Valerio new to letsencrypt.. I want say thank to everybody for the help.. I'd like to know if you solved problem cos I have the same ... I'd like to tell you that in an other situation I coluld run this comand .. with a raspi4 ..but now in a new installation linux ubunt on parrales I have the same you problem ... let me know if you find the issue ..Thank You Valerio
Open a new thread please.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.