My ISP banned port 80. so I can create a cert by standalone method with tls-sni-01(by port 443).
Now, I’m running a nginx server on port 443. How renew the cert with webroot method? Webroot require a opened 80 port. Why It is not supported https protocol?
Must I break current running web server to renew cert?
Won’t the official client do tls-sni-01 on a running nginx server?
1 Like
Only for the standalone plugin. webroot and manual only do the HTTP-01 challenge.
@oldstreams could try the standalone plugin with the HTTP-01, but configured for another port than 80:
letsencrypt --your_usual_stuff_like_email_wanted_domains_and_the_sorts --standalone --standalone-supported-challenges http-01 --http-01-port 8080
This should start the LE client's webserver on port 8080, so the blockade to 80 won't be a problem. Also, you won't have to stop your running nginx.
This won't work, http-01 verification requests always use port 80 for the initial request. The flag is meant for reverse proxy scenarios.
Hmm, yes, I see it in my tests… The LE client listens on 8080 (good), but Boulder doesn’t care about the port and just tries port 80… (bad 
)
Dang 
It’s all quite hardcoded in Boulder:
https://github.com/letsencrypt/boulder/blob/master/va/validation-authority.go#L148
Didn’t find any room for custom modifications 
Guess @oldstreams needs to wait for official DNS-01 challenge support ór, better, get the nginx plugin to work… 
thanks for all replies.
DNS-01 is a good solution, and I hope webroot method can support https in the future.
HAProxy could be used to divert incoming TLS based on the SNI in the client hello. You could forward all *.acme.invalid SNIs to your letsencrypt client and everything else to nginx.
This could be more hassle than it solves, but it’s something to consider.