Certbot overrides ports.conf

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nevermind

I ran this command: sudo certbot renew --dry-run

It produced this output: Invalid response from http://xxx.xxxx/.well-known/acme-challenge/6xCY1QK4CjQnaDA1B-GYw_SOquRm-oQD7UgXUB0Gw_I: 400

My web server is (include version):

The operating system my web server runs on is (include version): Apache 2.4.52 ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0


When running certbot renewall procedure, certbot overrides the ports.conf file with SSLEngine ON and certficate statements which causing the globally enabled SSL in apache so when certbot tries to verify the domain possesion with plain http-on 80 so he cant do this due to SSL enabled.. What can i do??

Welcome @niesmaczek

No, it does not.

If you used an HTTP Challenge to get your cert (and sounds like you did), then for the renew the Let's Encrypt servers will also send you an HTTP request. This is needed to prove you still control that domain. See (this link) for more details of this.

If you have blocked port 80 or maybe remove the port 80 VirtualHost from Apache then this probably won't work anymore.

We won't be able to give specific advice without more answers from you. Please provide your domain name and show output of this command

sudo apache2ctl -t -D DUMP_VHOSTS

Please read the introductionary statement:

1 Like

Yes it does, i checked it carrefully and this is proved.

Seems like im not the only one with this:

apache2 - How to stop ports.conf getting modified by certbot - Server Fault

But i dont get an solution there.

Please show the config file for that domain that is in the /etc/letsencrypt/renewal folder

As I explained, if you used an HTTP challenge to get your cert you need to keep port 80 open for renewals too

It is difficult to give you help when you do not provide requested information



I know that port 80 need to be open, but as i said, certbot modifies my ports.conf file with SSLEngine ON and cert locations which globally enables the SSL and certbot cant send plain http request coz of globally SSL Enabled..

# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/domain.zip
cert = /etc/letsencrypt/live/domain.zip/cert.pem
privkey = /etc/letsencrypt/live/domain.zip/privkey.pem
chain = /etc/letsencrypt/live/domain.zip/chain.pem
fullchain = /etc/letsencrypt/live/domain.zip/fullchain.pem

# Options used in the renewal process
account = dcc28a119099990b9578b15516efcc06
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Certbot adds this to ports.conf every time i run certbot renewal:

<IfModule ssl_module>
	Listen 800
        SSLEngine on
        SSLCertificateKeyFile /etc/letsencrypt/live/domain.zip/privkey.pem
        SSLCertificateFile /etc/letsencrypt/live/domain.zip/fullchain.pem

Certbot didnt support HTTPS but only plain HTTP and therefore cant verify the domain..

And also show the output of this command that I asked about earlier