Create SSL for apache (WAMP)

zamael · March 21, 2023, 11:58pm

Hello everyone! I tried to create certificates to ssl on my website, and still getting errors.

the domain is a ddns subdomain created in no-ip.com redirected to windows 10 running wamp.

My domain is: libraprueba.ddns.net:8081 (apache only listen 8081 port)

I ran this command: (from CMD as admin)
certbot certonly --webroot -w C:\wamp64\www\juridico -d libraprueba.ddns.net --http-01-port 8081 --agree-tos --email sapl21@gmail.com

It produced this output:
C:\Windows\system32>certbot certonly --webroot -w C:\wamp64\www\juridico -d libraprueba.ddns.net --http-01-port 8081 --agree-tos --email sapl21@gmail.com
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for libraprueba.ddns.net

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: libraprueba.ddns.net
Type: connection
Detail: 201.189.170.78: Fetching http://libraprueba.ddns.net/.well-known/acme-challenge/5-3pL2C7kr9KMCM4yCBetCLva0_nPRthRbEem2aAeKY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): WAMP 3.3.0 64bits (apache 2.4.54.2 - Mysql 8.0.31 on windows 10 22H2)

The operating system my web server runs on is (include version): Windows 10 22H2

My hosting provider, if applicable, is: localhost

I can login to a root shell on my machine (yes or no, or I don't know): "cmd" as admin.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no panels.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.2.0

I can see login page from http://libraprueba.ddns.net:8081, router with 8081 open in TCP/UDP, and trigger same ports, windows firewall with port 8081 open TCP and UDP, not installed any other alternative security softwares)

thanks in advance for any help.

Bruce5051 · March 22, 2023, 12:16am

Hello @zamael, welcome to the Let's Encrypt community.

The HTTP-01 challenge of the Challenge Types - Let's Encrypt can only be done on port 80.
Best Practice - Keep Port 80 Open

rg305 · March 22, 2023, 12:58am

As stated above, the HTTP-01 ACME challenge request will traverse the Internet via HTTP [port 80] only.

This will only change the local HTTP port [behind the firewall/NAT router (if one exists)]:

MikeMcQ · March 22, 2023, 1:02am

I know --http-01-port works with standalone. And, for apache and nginx authenticators to identify the virtual hosts that get the temp config changes.

But, what affect would it have with certonly webroot?

Bruce5051 · March 22, 2023, 1:03am

I only find one port open with nmap -Pn, namely 8081

$ nmap -Pn libraprueba.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-22 01:00 UTC
Nmap scan report for libraprueba.ddns.net (201.189.170.78)
Host is up (0.19s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE
8081/tcp open  blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 71.58 seconds

rg305 · March 22, 2023, 1:10am

The command, as shown, should ignore the provided port.
--webroot should force the direct use of that path (ignoring the service port).
And certonly ensures that it won't try to install the cert.

So, it would have no effect.
The command is clearly NOT doing what they expect.

webprofusion · March 22, 2023, 3:59am

As http validation only starts on port 80 you would have to forward external port 80 requests from your router to the server on port 8081. That way when Let's Encrypt looks at your website to confirm you control the subdomain it will try http://libraprueba.ddns.net:80 but internally you will be forwarding that to http://:8081

Note that there are rate limits etc for domains and since you don't control ddns.net so you may simply not be able to get a cert for that domain.

rg305 · March 22, 2023, 11:15am

AND also:
Readjust the command line to get that alternate HTTP port used.
As the command was written, it won't be used at all.

zamael · March 22, 2023, 10:24pm

hello! and thanks for all your replies.

I achive to create ssl certificates, open port 80 and create certificates with:

certbot certonly --webroot -w "C:/wamp64/www/" -d libraprueba.ddns.net --agree-tos --email sapl21@gmail.com
and now https://libraprueba.ddns.net/ is working on ssl.

Now, my big problem is:

today we have a 1 static public ip and 3 machines as a servers. Internally, we take ports to make difference between servers, so we have 3 servers (computers with windows 10 and wamp) running under same domain.

libraprueba.ddns.net:8081
libraprueba.ddns.net:8082
libraprueba.ddns.net:8083

it's possible to create a ssl certificate to every server we have? all use same config (wamp 3.3.0 64bits)
this is why I try to create a certificate to specific port.

I don´t know if is the correct place to question this, but any piece of information will be appreciated.

P.S. sorry, poor english.

linkp · March 22, 2023, 11:29pm

They all have the same name. That means you could use the same key and certificate on all three hosts.

You could also look into using a hostname based reverse proxy to make things easier and put all three severs on standard ports. You would probably need your own domain to pull that off, though. It might be a good project for another time.

rg305 · March 23, 2023, 12:48am

The server uses Apache version 2.4.54.
Which is very capable of doing SNI.
You could easily obtain three separate names from ddns.net and get a cert for each one.
And connect to them via the normal ports [HTTP & HTTPS].

curl -Ii libraprueba.ddns.net
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2023 00:46:23 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1s PHP/8.0.26 mod_fcgid/2.3.10-dev
Last-Modified: Wed, 22 Mar 2023 17:09:20 GMT
Accept-Ranges: bytes
Content-Length: 63
Vary: User-Agent
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Content-Type: text/html

webprofusion · March 23, 2023, 2:34am

As an aside, it's worth mentioning that your own custom domain can be had for less than $10 USD per year and you can get a cloud hosted virtual machine to run your website on (linux, but windows is available) starting at about $3.50 per month (AWS lightsail).

It's harder to reliably host the infrastructure for a website yourself than it is to just let a cloud hosting provider do it for you, it's also potentially more expensive to host at home because you are paying for the electricity (which is around $50 per year for a basic machine and much more for a standard desktop) and if your machine is compromised via a remote hack you generally stand to lose more than just your website.

zamael · March 23, 2023, 8:23pm

hey buddy!

thanks for your reply, indeed in this way, today I achive what I need.

3 diferents servers, using 3 external ports, using same certificate.

I have to say thank you to all of you guys for all comments, ideas and help.

zamael · March 23, 2023, 8:29pm

tell me about maintaince of a structure to this proyect, but it's a requirement from client, because they need physical access to USB ports, bc they use a usb token to sign with certificates, files in pdf.

try to convince to use java applet for that, but no. he wants tokens (plural) coneccted to only one machine and everybody can sign, so ... here we are.

thanks anyways for time invested in your response.

system · April 22, 2023, 8:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.