How renew a cert by a https server


#1

My ISP banned port 80. so I can create a cert by standalone method with tls-sni-01(by port 443).
Now, I’m running a nginx server on port 443. How renew the cert with webroot method? Webroot require a opened 80 port. Why It is not supported https protocol?
Must I break current running web server to renew cert?


#2

Won’t the official client do tls-sni-01 on a running nginx server?


#3

Only for the standalone plugin. webroot and manual only do the HTTP-01 challenge.

@oldstreams could try the standalone plugin with the HTTP-01, but configured for another port than 80:

letsencrypt --your_usual_stuff_like_email_wanted_domains_and_the_sorts --standalone --standalone-supported-challenges http-01 --http-01-port 8080

This should start the LE client’s webserver on port 8080, so the blockade to 80 won’t be a problem. Also, you won’t have to stop your running nginx.


#4

This won’t work, http-01 verification requests always use port 80 for the initial request. The flag is meant for reverse proxy scenarios.


#5

Hmm, yes, I see it in my tests… The LE client listens on 8080 (good), but Boulder doesn’t care about the port and just tries port 80… (bad :frowning:)

Dang :triumph:

It’s all quite hardcoded in Boulder:

https://github.com/letsencrypt/boulder/blob/master/va/validation-authority.go#L148

Didn’t find any room for custom modifications :stuck_out_tongue:

Guess @oldstreams needs to wait for official DNS-01 challenge support ór, better, get the nginx plugin to work… :slightly_smiling:


#6

thanks for all replies.
DNS-01 is a good solution, and I hope webroot method can support https in the future.


#7

HAProxy could be used to divert incoming TLS based on the SNI in the client hello. You could forward all *.acme.invalid SNIs to your letsencrypt client and everything else to nginx.

This could be more hassle than it solves, but it’s something to consider.