How to make certificate in a domain:port

Hello,
I’m trying to make a certificate using certbot, but my domain only can be accesible from www using a port number after domain name: cloud.mydomain.com:XXXXX but i obtain the error showed below.
Is there any way to made the certificate using a domain that only can be accessed in that way?

Many thanks,
Abraham.

My domain is:
cloud.airmonkey.es
I ran this command:
cert
It produced this output:

Blockquote
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator apache, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): cloud.airmonkey.es:11000
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.airmonkey.es
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cloud.airmonkey.es (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud.airmonkey.es/.well-known/acme-challenge/KdUI7KYulgcIwSj5xzPmjaIeO7bOqzHTz4zZSKMJVfM [109.167.111.21]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

Blockquote

My web server is (include version):
Apache 2.4.25
The operating system my web server runs on is (include version):
Debian LXD Turnkey container, running under Proxmox
My hosting provider, if applicable, is:
Selfhosted
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Proxmox Hypervisor
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0

Hi @galopete

if you want to use http-01 validation, an open port 80 is required. You can redirect to https / port 443, but you can’t use another port.

But it’s possible you use other Challenge types:

Perhaps dns-01 validation or tls-alpn-01. acme.sh supports that.

PS: But checked your domain you have an open port 80 ( https://check-your-website.server-daten.de/?q=cloud.airmonkey.es ):

Domainname Http-Status redirect Sec. G
http://cloud.airmonkey.es/
109.167.111.21 404 0.136 M
Not Found
https://cloud.airmonkey.es/
109.167.111.21 200 1.893 N
Certificate error: RemoteCertificateNameMismatch
http://cloud.airmonkey.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
109.167.111.21 404 0.150 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at cloud.airmonkey.es Port 80

So you can use that webserver with webroot, that should always work. Perhaps use certonly to install the certificate on your other port.

Hello Juergen

Many thanks for your quick response…

I’m not familiar with certbot, so when you tell “So you can use that webserver with webroot, that should always work. Perhaps use certonly to install the certificate on your other port.”

Can you tell me how can i do that?

Many thanks, again.
Abraham

If you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

So if your port 80 is open and checking such a file with an unknown file name sends a http status 404 - Not Found: That’s good. No blocking firewall, no wrong redirect, no blocked 401 / 403 etc.

Find your DocumentRoot of that vHost, then use it.

sudo certbot run -a webroot -i apache -w yourDocumentRoot -d cloud.airmonkey.es

PS: Or add certonly, if you don’t have an explicit vHost.

Hi Juergen.

Trying you directions, but no luck… any idea?

Thanks again.
Abraham.

Blockquoteroot@amnube …/apache2/sites-enabled# sudo certbot run -a webroot -i apache -w /var/www/nextcloud/ -d cloud.airmonkey.es
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.airmonkey.es
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cloud.airmonkey.es (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud.airmonkey.es/.well-known/acme-challenge/UEphsG1PseKpPH62Wzn_Xq_WXME54DQ9Fb7P5yeFozk [109.167.111.21]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

Then this

isn’t the webroot of that vHost.

Yes… i have checked in the vhost file…

Looks like you have used the wrong vHost. The certificate has

airmonkey.es, www.airmonkey.es - 2 entries

so the vHost of your main domain answers.

Juergen.

I have a cluster of two servers running Proxmox with some VM’s, one of those VM is my main server “airmonkey.es” that runs with ubuntu 18.04 & ISPConfig control Panel, it has Letsencrypt configured and working ok, for that reason you can see that “airmonkey.es” is working fine with the certificate.

But i have another VM running an LXD container that runs only Nextcloud.

I only have 1 public IP, but some domains in different VM’s pointing to it, one of these domains are “cloud.airmonkey.es” but as i have a firewall to allow access from www to these nextcloud instance i only can use a NAT port (because i have no proxy configured). So i’m trying to make a letsencrypt certificate for the nextcloud instance. The vhost file that i’m checking is the file that is in the VM with nextcloud instance (the LXD container), wich have /var/www/nextcloud/ as webroot.

I’n not sure is this information can help you to understand my issue… but if you need some other information, please tell me.

Thanks,
Abraham

There - https://check-your-website.server-daten.de/?q=cloud.airmonkey.es - answers the https version with that certificate:

CN=airmonkey.es
	18.04.2019
	17.07.2019
expires in 61 days	
airmonkey.es, www.airmonkey.es - 2 entries

So maybe the wrong vHost answers. Result:

  • You must use the DocumentRoot of that port 80 vHost and
  • you must run Certbot in that VM, so Certbot can write in that DocumentRoot

If you have different VM, it’s much more difficult.

Hi Juergen.

I think that i’m starting to understand wich is my issue here… i’m trying to use the same name provider with my unique public ip in two different servers.

Let me dig in how to resolve this issue… maybe i think that i will buy a different domain name for cloud.airmonkey.es separate from airmonkey.es name dns controls.

i will tell you my results…

Many thanks again for your time, Juergen.

BR, Abraham

1 Like

Hello Juergen.

Finally i was buyed another fqdn, and made a new vhost for that name, now i have the cloud working like a charm with the certificate.

Thanks for your time, Juergen.

Abraham.

1 Like

If this is the solution, you must have a curious bug in your configuration.

But happy to read that it had worked.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.