Certbot not using port

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: portc.3bbddns.com

I ran this command: sudo certbot certonly --manual --http-01-port 47810

It produced this output: Domain: portc.3bbddns.com
Type: connection
Detail: 110.164.204.27: Fetching http://portc.3bbddns.com/.well-known/acme-challenge/V2CabgUSz1B1wdSolYbLBtuB6QwPEW6KNsQumXYB0kc: Timeout during connect (likely firewall problem)

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): ubuntu 22.04 lts

My hosting provider, if applicable, is: non

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

usually how i would access the server is portc.3bbddns.com:47810 and http://portc.3bbddns.com:47810/.well-known/acme-challenge/V2CabgUSz1B1wdSolYbLBtuB6QwPEW6KNsQumXYB0kc show the token fine, im guessing cerbot didnt use portc.3bbddns.com:47810 and use portc.3bbddns.com instead

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

ā€” HTTP-01 challenge

--http-01-port option exists to be able to port-forward/reverse-proxy 80ā†’<specified_port>

3 Likes

oh then how do i use TLS-ALPN-01 since my ddns is provided by my isp and gave me port 47810 to 47819 to work with and i cant change them, also it only redirect http request to my router so theres no option to add a dns record

Certbot does not have tls-alpn-01 capabilities, only http-01 and dns-01. There are other ACME clients which do have tls-alpn-01 support.

Note that tls-alpn-01 requires port 443 to be accessible.

Also note that the ACME client might influence the challenge used, but it's up to the ACME server to do the validation. Not Certbot or any other ACME client. ACME clients cannot influence the details of a challenge, such as the port used to connect to.

2 Likes

I guess that only happens on IPv4. Does your ISP support IPv6?

5 Likes

You may want to use the DNS-01 challenge method.

4 Likes

Can you use another ISP?

2 Likes

While this is going to be leaning off topic for deep discussion here, it is worth mentioning that Cloudflare now has Origin Rules that allow you to map to non-standard ports on your origin server. You can discuss this in the Cloudflare Community if you think it might be useful. DNS-01 challenges are reasonably straightforward on Cloudflare as well.

5 Likes