I ran this command: $ sudo certbot --nginx -d kumolink.ddns.net -m kumopeer@gmail.com --agree-tos --tls-sni-01-port 15443 --http-01-port 15080
It produced this output:
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --tls-sni-01-port 15443
My web server is (include version): 1.18.0-0ubuntu1.2
The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0
Thank you very much in advance for any suggestions.
The error message seems clear enough. There is no such command line option. See the docs here.
But, why do you even need a different port? I see ports 80 and 443 open and your nginx server responds on both. What I mostly see wrong is the cert you send for https request to kumolink.ddns.net is for the domain jairunet.ddns.net.
Can you explain what you are trying to accomplish?
Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).
The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.
That said, the parameter you are using for certbot to change the HTTP-01 challenge port will only allow you to specify a different internal port (inside of your network), not a different external port (outside of your network), which must be port 80.
You can use a tool like the following to see what is happening externally:
Why are you specifying ports for two mutually-exclusive challenge types? You can't perform both simultaneously.
But basically yes, I do have two hostnames registered in "no-ip.com" jairunet.ddns.net and kumolink.ddns.net both should point to the same dynamic public IP address, and because the docker instance part of the Umbrel lightning node stack is already using ports 80 and 443 I need to change the ports on which the proxy nginx will be listening. I hope that helps clarifying what my goal is or in the link probably is better illustrated.
Maybe what I am trying to do is not possible, but I was wondering if I could do that have the nginx proxy listed on the different ports other than 80 and 443.
Thank you for the information I am going to check what options I have then, I will need to go back to the drawing board as I will need to change the current letsencrypt set up I have with another web app I already have in my home lab using letsencrypt on ports 80 and 443.
But the validation bots will only connect on port 80 (http-01) or port 443 (tls-alpn-01).
You can host nginx on another port. Let's Encrypt will not connect to it.
I would move the other software on another port and then access it through an nginx reverse proxy. (I would also bind the other software on localhost, so it's only accessible through nginx)
I see, understood, I will re-design what I want here as you say, have letsencrypt to work with the main nginx web browser and then use another nginx internally as proxy. I will need to design and test.
It only makes sense if the second nginx runs inside the docker container.
You can extend your current nginx reverse proxy (on ports 80 and 443?) to serve all other websites. All you need to do is add another server block with a different server_name. (And that will respond on the same IP but a different domain name)
Excellent, will do. I have not done much work on reverse proxy nor web servers in a while, but I will definitely check the nginx documentation for the virtual host based on domain names.
Hi @9peppe, I am Valerio new to letsencrypt.. I want say thank to everybody for the help.. I'd like to know if you solved problem cos I have the same ... I'd like to tell you that in an other situation I coluld run this comand .. with a raspi4 ..but now in a new installation linux ubunt on parrales I have the same you problem ... let me know if you find the issue ..Thank You Valerio