How to specify a port different from 443 for the DVSNI challenge

I run a server that is public available via single IP address. On the server I run several linux containers (lxc) and the one I would like to configure with letsencrypt is not available via port 443. Instead I use port 1443 and it’s no problem for me to access the apache webserver within the container using this port.

When I now run the letsencrypt-auto I run into the following error:

Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

 - The following errors were reported by the server:

   Type:   connection
   Detail: Failed to connect to host for DVSNI challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

How do I specify another port (in my case 1443) for the DVSNI challenge?

tls-sni-01 requires port 443. There’s no way to use another port.

Other options would be http-01, which runs on port 80, and dns-01, which doesn’t require any open ports at all - it works with TXT records, but there’s no support in the official client yet.

1 Like

As @pfg says, there is no way to do so. This is intentional in order to prevent non-administrative users from getting certs issued for shared servers where they have unprivileged accounts. Hopefully one of the other methods that @pfg mentioned will work for you.

1 Like

Thanks for the quick answer @pfg and elaborating this in detail, @schoen

Is there some kind of description regarding the DNS TXT record method?

Do you want the documentation of how to implement the DNS challenge ? or do you want a client that already does it ?

in the list of alternate clients then I know the 3 Bash ones all implement the DNS TXT challenge

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.