Certbot not using port

Idkan · September 17, 2023, 7:57am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: portc.3bbddns.com

I ran this command: sudo certbot certonly --manual --http-01-port 47810

It produced this output: Domain: portc.3bbddns.com
Type: connection
Detail: 110.164.204.27: Fetching http://portc.3bbddns.com/.well-known/acme-challenge/V2CabgUSz1B1wdSolYbLBtuB6QwPEW6KNsQumXYB0kc: Timeout during connect (likely firewall problem)

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): ubuntu 22.04 lts

My hosting provider, if applicable, is: non

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

usually how i would access the server is portc.3bbddns.com:47810 and http://portc.3bbddns.com:47810/.well-known/acme-challenge/V2CabgUSz1B1wdSolYbLBtuB6QwPEW6KNsQumXYB0kc show the token fine, im guessing cerbot didnt use portc.3bbddns.com:47810 and use portc.3bbddns.com instead

Nekit · September 17, 2023, 8:09am

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

— HTTP-01 challenge

--http-01-port option exists to be able to port-forward/reverse-proxy 80→<specified_port>

Idkan · September 17, 2023, 8:22am

oh then how do i use TLS-ALPN-01 since my ddns is provided by my isp and gave me port 47810 to 47819 to work with and i cant change them, also it only redirect http request to my router so theres no option to add a dns record

Osiris · September 17, 2023, 8:23am

Certbot does not have tls-alpn-01 capabilities, only http-01 and dns-01. There are other ACME clients which do have tls-alpn-01 support.

Note that tls-alpn-01 requires port 443 to be accessible.

Also note that the ACME client might influence the challenge used, but it's up to the ACME server to do the validation. Not Certbot or any other ACME client. ACME clients cannot influence the details of a challenge, such as the port used to connect to.

9peppe · September 17, 2023, 12:19pm

I guess that only happens on IPv4. Does your ISP support IPv6?

linkp · September 17, 2023, 2:44pm

You may want to use the DNS-01 challenge method.

rg305 · September 17, 2023, 4:33pm

Can you use another ISP?

linkp · September 17, 2023, 5:42pm

While this is going to be leaning off topic for deep discussion here, it is worth mentioning that Cloudflare now has Origin Rules that allow you to map to non-standard ports on your origin server. You can discuss this in the Cloudflare Community if you think it might be useful. DNS-01 challenges are reasonably straightforward on Cloudflare as well.

system · October 17, 2023, 5:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot fails with "Certbot failed to authenticate some domains" Help	7	942	May 24, 2023
Certbot overrides ports.conf Help	8	301	April 27, 2024
Certbot and ports confusion Help	71	1721	November 1, 2020
Certbot Error getting validation data Help	4	998	August 22, 2022
Certbot is not working Help	1	422	July 23, 2020

Certbot not using port

Related topics