Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
setzco.dyndns.org
http is on port 8081
https is on port 8443

I ran this command:
Tried certbot but it wants web server running on port 80 and ISP blocks port 80.
That is why I run it on port 8081
can connect with https using port 8443, but requires added an exception because of cert issues?

It produced this output:
Can't get past certbot wanting port 80.
Have run openssl to create CSR files, but then says to submit to CA

My web server is (include version):
Server version: Apache/2.4.63 (Fedora Linux)
Server built: Jan 24 2025 00:00:00

The operating system my web server runs on is (include version):
Fedora 42
My hosting provider, if applicable, is:
Running on my own Fedora 42 machine.

I can login to a root shell on my machine (yes or no, or I don't know):
YES. Generally VNC directly to machine.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 3.3.0
But it is useless, since it wants web server running on port 80???

All publicly trusted CAs (which includes Let's Encrypt) are mandated to use a specific set of ports for the hostname validation, the so called "Authorized ports", which is defined as:

One of the following ports: 80 (http), 443 (https), 25 (smtp), 22 (ssh).

In the current baseline requirements.

Note that Let's Encrypt does not offer any challenges using SMTP or SSH, so that leaves port 80 and 443.

Also note that Let's Encrypt does offer DNS validation, which is not mentioned in the "authorized ports" section, as DNS doesn't need to contact the hosting server directly (I guess, I thought port 53 was mentioned here earlier..?).

Date sent: Mon, 26 May 2025 11:16:26 +0000
Send reply to: Let's Encrypt Community Support incoming+ff0e903eb8a82c922e13a08ebe389dbe@letsencrypt.discoursemail.com
80, and that is Blocked by ISP, so run on ports 8081 and 8443

Osiris Community leader
May 26

msetzerii:
But it is useless, since it wants web server running on port 80???
All publicly trusted CAs (which includes Let's Encrypt) are mandated to
use a specific set of ports for the hostname validation, the so called
"Authorized ports", which is defined as:
One of the following ports: 80 (http), 443 (https), 25 (smtp), 22 (ssh).
In the current baseline requirements.
Note that Let's Encrypt does not offer any challenges using SMTP or SSH,
so that leaves port 80 and 443.
Also note that Let's Encrypt does offer DNS validation, which is not
mentioned in the "authorized ports" section, as DNS doesn't need to
contact the hosting server directly (I guess, I thought port 53 was
mentioned here earlier..?).

Thanks for the quick response. The document shows what you said
for Letsencrypt But a search comes up with this.

Here's a more detailed explanation:

Default Port:
Port 443 is the standard port for HTTPS, meaning browsers 

typically assume this is the port to use when connecting to a
website with the "https://" prefix.

Custom Ports:
You can configure your web server (e.g., Apache, Nginx) to listen
on a different port for HTTPS. If you do this, you'll need to
explicitly include the port number in the URL when connecting to
the server (e.g., https://example.com:8080).
Example:
Many applications, like Elasticsearch, use a default port other than
443 for their specific protocols, such as port 9200 for their HTTP
API.
Certificate Validation:
Some certificate authorities (CAs) may require you to perform a
challenge on ports 80 or 443 for the certificate validation process,
but you can still use the certificate on any port you choose for your
application.
ACME (Automated Certificate Management Environment):
The ACME protocol, which Let's Encrypt uses, primarily focuses on
validating certificates on ports 80 and 443.
Alternative Ports:
Some alternative ports commonly used for HTTPS include 8443,
and others can be used depending on your needs and server
configuration.
Let's Encrypt:
Let's Encrypt, a popular CA, mainly focuses on issuing certificates
for standard ports like 80 and 443.
Certbot:
Certbot, a tool for obtaining certificates from Let's Encrypt,
typically uses ports 80 and 443 for validation.

Not sure what to do with this information. Yes, sure, you can configure your (web)server to use any port you like. You can even use a Let's Encrypt certificate on any port you like.

But to get a certificate, it's a different story, just as your text mentions (looks like a LLM to me, not a "search"?).

Restating what Osiris said a bit more clearly:

You can run your web server on whatever ports you wish.

You MUST respond to ACME challenges on specific ports to obtain a certificate from LetsEncrypt :

• Port 80 : HTTP-01 Challenge
• Port 443 : TLS-ALPN-01 Challenge
• Port 53 : DNS-01 Challenge

This is an industry-wide global requirement. There is no workaround.

nmap setzco.dyndns.org -Pn -p 80,443
Starting Nmap 7.92 ( https://nmap.org ) at 2025-05-27 00:27 ChST
Nmap scan report for setzco.dyndns.org (182.173.226.48)
Host is up (0.20s latency).

PORT STATE SERVICE
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

certbot run --apache -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): setzco.dyndns.org
Requesting a certificate for setzco.dyndns.org
Performing the following challenges:
http-01 challenge for setzco.dyndns.org
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

http://setzco.dyndns.org connects to default page no problem.
https://setzco.dyndns.org
Error code: SEC_ERROR_UNKNOWN_ISSUER
After adding exception
it connects fine.

So now not sure what is causing http-01 challenge error??

This:

Is an error due to Certbot not able to find a HTTP VirtualHost section in your Apache configuration file.

You're using the Apache plugin (--apache), which uses a HTTP VirtualHost to a) perform the challenge and b) use as a template to generate the HTTPS VirtualHost.

This error does not have anything to do with port 80 being open or not. Certbot didn't even go to the http-01 challenge part yet.

Date sent: Mon, 26 May 2025 14:45:15 +0000
Send reply to: Let's Encrypt Community Support incoming+bd178fba2a1e1cb8d12c9e32876bd046@letsencrypt.discoursemail.com
80, and that is Blocked by ISP, so run on ports 8081 and 8443

Osiris Community leader
May 26

This:
msetzerii:
Unable to find a virtual host listening on port 80
Is an error due to Certbot not able to find a HTTP VirtualHost section in
your Apache configuration file.
You're using the Apache plugin (--apache), which uses a HTTP VirtualHost
to a) perform the challenge and b) use as a template to generate the
HTTPS VirtualHost.
This error does not have anything to do with port 80 being open or not.
Certbot didn't even go to the http-01 challenge part yet.

ran it again without the --apache and get same error.

Not clear what is meant by virtual host? Just running a single
http/https setup? Can connect to both fine with http and https after
adding the exception.

That's part of the basics of Apache configuration.

If you don't specify anything on the command line, Certbot will ask you a bunch of stuff it requires as user input. So chances are you still were using the apache plugin due to those choices. Without your answers to those choices it's just guessing though..

If you don't want to make a HTTP VirtualHost, you can still get a certificate by using the webroot plugin. Please see the Certbot user guide for more information about that authenticator plugin.

You'd need to use the certonly subcommand I think and once you get your certificate, you need to install it into your webserver configuration manually. Also, you'd want to look into the --deploy-hook option of Certbot to reload your webserver automatically after a renewal.

Hello @msetzerii,

Given what you stated in the above quote the only challenge choice would be the DNS-01 challenge of the Challenge Types - Let's Encrypt as the HTTP-01 challenge states "The HTTP-01 challenge can only be done on port 80" and the TLS-ALPN-01 states " it is performed via TLS on port 443."

Also generally your DNS Sever is not a server you have that is on the blocked side of your ISP; however it is possible if you are going to run your own Autoreactive DNS Server.

I've gotten closer with a lot of info. Have web server running on port 80 and 443, and have been able to get certbot to create certificate.
Found the following certs:
Certificate Name: setzco.dyndns.org-0001
Serial Number: 5293f976e93aa26f67d73cd147f5b60f311
Key Type: ECDSA
Domains: setzco.dyndns.org
Expiry Date: 2025-08-24 20:32:44+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/setzco.dyndns.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/setzco.dyndns.org-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/setzco.dyndns.org.conf

Went I try to go to web page get error.

Warning: Potential Security Risk Ahead

Selecting advanced shows.
Error code: [SEC_ERROR_UNKNOWN_ISSUER]
view certificates seems to show two certificates.
Both showing SETZCO at top.
Selecting top items shows one at time.
2nd on has Organizational Unit ca-3929762973421266564
1st doesn't have that
2nd one has Certificate Authority Yes
1st one has Certificate Authority No.

So not sure how I got 2 of them, can't find way to delete the first one.
Earlier both were showing valid 2001 to 2002 dates, but now both showing 2025 to 2026?
Don't know if there is a way to reset all certs, and just do a clean setup.
Also, both show email for site as root@setzco.dyndns.org that doesn't exist?
mikes@guam.net is what httpd.conf has.

you have certificate but didn't configed webserver to use that.

Date sent: Mon, 26 May 2025 22:35:47 +0000
Send reply to: Let's Encrypt Community Support incoming+173da524557cb19967d73c8fc61f9a1f@letsencrypt.discoursemail.com
80, and that is Blocked by ISP, so run on ports 8081 and 8443

orangepizza Regular
May 26

you have certificate but didn't configed webserver to use that.

At one point certbot seemed to create certificates and listed them,
and had modified the httpd.conf so assumed it had done the link to
server.

Tired with virtual host, with --standalone, with apache.
Would list what appears to be two certicates when I would get the
security error and then view certificates. Seems to show 2, but no
options.

Now have nothing.
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificates found.

and trying to recreate gives a too many error.

you hit by five duplicate certificate per week ratelimit. you'd have to wait a week before try again.
and -certonly or --standalone don't config apache to use that certificate.

Yes, they did but they don't have to wait a week. Only at most 34 hours: Rate Limits - Let's Encrypt

But @msetzerii please be more careful. What happened to the 5 certificates you already got in the past day? Any of those would have worked if you had only configured your server to use them properly.

image1665×282 69.8 KB

Testing and debugging are best done using the Staging Environment
as the Rate Limits are higher.

Using Certbot that can be accomplished via the option --dry-run,
as an example: certbot renew --dry-run

And to assist with debugging there is a great place to start is Let's Debug.

Date sent: Tue, 27 May 2025 02:08:09 +0000
Send reply to: Let's Encrypt Community Support incoming+810d91143fa6870715c15397fd25b6bb@letsencrypt.discoursemail.com
80, and that is Blocked by ISP, so run on ports 8081 and 8443

orangepizza Regular
May 27

you hit by five duplicate certificate per week ratelimit. you'd have to wait
a week before try again.
and -certonly or --standalone don't config apache to use that certificate.

Had tried the --apache originally, then got into thing saying to
create a Virtual host, and the the cert only and was showing
certificates. Don't know why the error message would show up as
not trusted, then the view certificates was showing two, and one
having authoritative info but first one didn't.

So, at least go server running on port 80 and 443. Not sure when
ISP stopped blocking those ports. Been running the server going
back to 2004, and since it worked on port 8081 with no issues.
Didn't work on changed what wasn't broken. Just that seeing
browsers stop support FTP, which that works fine, but basically
now requires a real FTP client like ncftp or wget.
Then know browsers are pushing to go https-only.

Thanks for your time, probable after a week or more will try again.

Date sent: Tue, 27 May 2025 02:23:25 +0000
Send reply to: Let's Encrypt Community Support incoming+01337f20893c9ca2db2ed0d4160122fc@letsencrypt.discoursemail.com
80, and that is Blocked by ISP, so run on ports 8081 and 8443

MikeMcQ Leader
May 27

orangepizza:
you hit by five duplicate certificate per week ratelimit. you'd have to
wait a week before try again.
Yes, they did but they don't have to wait a week. Only at most 34 hours:
Rate Limits - Let's Encrypt
But @msetzerii please be more careful. What happened to the 5
certificates you already got in the past day? Any of those would have
worked if you had only configured your server to use them properly.

Nothing critical on the machine, and one can connect to it via
regular http://
So, only was looking to make option of using https:// since some
browsers either will default to https:// or set to https:// only.

Thanks for reply.