How can I create certificate by certbot for the other ssl port?

Help
#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
./certbot-auto --nginx --nginx-server-root /usr/local/nginx/conf --no-self-upgrade

It produced this output:
Performing the following challenges:
http-01 challenge for rdp.aaaddd.com
Using default address 80 for authentication.
Waiting for verification...
Challenge failed for domain rdp.aaaddd.com
http-01 challenge for rdp.aaaddd.com
Cleaning up challenges
Some challenges have failed.

My web server is (include version):
nginx

nginx vhost config is:
server_name rdp.aaaddd.com;

location / {
    proxy_pass http://127.0.0.1:8075/app/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_cookie_path /app/ /;
    access_log off;
}

listen 8018 ssl;
Because the firewall does not allow the default SSL port 443 to be used, other ports can only be used.
how can I create certificate by certbot for the other ssl port?

1 Like
#2

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Perhaps this may help?
--https-port HTTPS_PORT

Port used to serve HTTPS. This affects which port Nginx will listen on after a LE certificate is installed. (default: 443)

You must still have port 80 open to use http-01 challenges during the authentication stage for your certificate.

2 Likes
#3

Hi @kinkin

please start with some basics:

Then read something about challenge types:

Conclusion:

  • If you want to use http validation, a working external port 80 is required, port 443 isn't required (if you have redirects, remove these with /.well-known/acme-challenge)
  • your working external port 80 may point to another port, that's not so relevant. Use --webroot
  • A certificate has no information about a port. So you can use a certificate with every port you want
4 Likes
#4

To paraphrase this, the use of these ports during certificate issuance is required by industry standards, so Let's Encrypt doesn't allow you to choose a different port instead of 80 or 443 for proving control of your domain name during each certificate issuance or renewal. But

this applies after the certificate was successfully issued.

1 Like
#5

This is probably overkill at this point, but I figured I would share the specific documentation regarding the ports for the http-01 challenge to which @JuergenAuer alluded and @schoen outlined.

Just to note for posterity, I interpreted @kinkin's question very differently, hence my original post regarding the --https-port parameter for certbot regarding which port will listen for https after certificate installation. I ignored the error in the original post since there was no further error information provided. I didn't dig any deeper at that point.

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.