Certonly request: invalid port in redirect target

I'm trying to generate a new certificate.

My domain is:
amp.ci

I ran this command:
sudo certbot certonly --apache -d amp.ci

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: amp.ci
Type: connection
Detail: Fetching http://130.215.45.188:6080/php/urlblock.php?args=AAAAcAAAABBrLkkW_mRSiKMHNQae3R1YAAAAEJDBj9Z95DIkxS9IKGk_V0AAAABAAAAAQKssMfuMJajeYuR_DyMBtFibzTDwLpmfYx7eKW2IlVbxQio9dMg5cuOFMwsu9kIdnFZ5t2d7ziI5Zp~1VeHgGsI=&url=http://amp.ci%2F.well-known%2Facme-challenge%2FoLlABlfG2i16DyUR8g96gNQChTlvBBifw4GoY1G7qOM: Invalid port in redirect target. Only ports 80 and 443 are supported, not 6080

My web server is (include version):
Apache2. I also tried the standalone plugin with the same result.

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.26.0

This error message is quite clear for me. What isn't clear about it for you? :slight_smile: Maybe it requires improvement.

3 Likes

@apasquale Redirects to IP addresses are also not supported. See:

2 Likes

I'm not specifying port 6080 anywhere that I know of. Why is certbot not using port 80 or 443? Thanks.

How can I configure apache to use the domain name instead of the ip address? I have about a dozen other certs on this server from letsencrypt for different domains and haven't had this problem. Maybe something changed in the server configuration?

Certbot is just following the redirect provided by the webserver of amp.ci. Is the IP address 130.215.45.188 correct? I.e., your webserver?

2 Likes

Yes, the A record for amp.ci points to 130.215.45.188.

The apache config is like this:

<VirtualHost *:80>
    ServerName amp.ci
    DocumentRoot /var/www/prod/web
</VirtualHost>

Maybe it's your webhost using some kind of filter. E.g. see the following thread on another hosting providers support forum:

2 Likes

yeah, that's interfering.

you have some kind of security software that doesn't like Let's Encrypt.

you should whitelist .well-known/acme-challenge

$ curl -IL amp.ci/.well-known/acme-challenge/
HTTP/1.0 302 Moved Temporarily
Location: http://130.215.45.188:6080/php/urlblock.php?args=AAAAcQAAABCUd6_dC63SwK3XTFfsqY_qAAAAEEz4~wOG7QNdP5PYetnSHeoAAABBAAAAQU2FOCn4c9NTuCpiCYotZjnuO3KUwXf~CbOU8jeJp5_m6hKRcloghRdRAfwk3QUUfVxXQ2j6foXD0mw6tu1iudNu&url=http://amp.ci%2f.well-known%2facme-challenge%2f
Content-Length: 0
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 405 Not Allowed
Date: Wed, 20 Apr 2022 16:49:47 GMT
Content-Type: text/html
Content-Length: 161
Connection: close
Set-Cookie: SESSID=f4MBAWJgOate5XRQAwM3Ag==; path=/

@apasquale do you recognize this software? http://amp.ci/.well-known/acme-challenge/

@MikeMcQ we found one :smiley:

$ nmap -A -p6080 130.215.45.188
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-20 18:53 CEST
Nmap scan report for nectclone.wpi.edu (130.215.45.188)
Host is up (0.10s latency).

PORT     STATE SERVICE VERSION
6080/tcp open  http    Palo Alto GlobalProtect Gateway httpd
|_http-title: 403 Forbidden

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.66 seconds
4 Likes

No, but I'll talk with the sysadmin who is hosting our vm. Thanks for pointing me in the right direction! Much appreciated!

2 Likes

Wow. That was quick! Good find.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.