Install certbot when intentionally port translating

krisspringer · April 17, 2020, 6:27pm

My web server is intentionally behind a firewall that’s port translating external port 11443 to internal port 443. How do I get certbot to work through that?

My domain is: xymon.watersprings.net

I ran this command: sudo certbot --apache

It produced this output: Timeout during connect (likely firewall problem)

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.6

My hosting provider, if applicable, is: self hosted VM

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Osiris · April 17, 2020, 6:35pm

So you mean external people (like me or anyone else on the internet) would have to type in https://xymon.watersprings.net:11443 to get to your site?

Or do you mean it the other way around? That your Apache is listening on port 11443 and that your firewall translates my request on port 443 to the port 11443 on Apache?

krisspringer · April 17, 2020, 6:41pm

Yes, I mean external people (anyone on the internet) would have to type in https://xymon.watersprings.net:11443 to get to the site. Currently if you just enter xymon.watersprings.net:11443 it will display as http, but not https

ezekiel · April 17, 2020, 6:44pm

Quoting from the docs here: https://letsencrypt.org/docs/challenge-types/

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

If you cannot open Port 80, then you could try switching to the DNS-01 challenge type.

Osiris · April 17, 2020, 6:46pm

In addition to @ezekiel’s post: this isn’t a limitation of Let’s Encrypt, but is mandated by the CA/B Forum, the consortium which regulates the SSL/TLS certificate guidelines.

krisspringer · April 17, 2020, 6:48pm

So, if I go ahead and open 443 through the firewall, the cert will install and work? If I close it again will the cert update later?

mnordhoff · April 17, 2020, 6:55pm

Port 443 doesn’t actually matter. Certbot is using HTTP-01 validation, which uses and requires port 80.

(Let’s Encrypt supports TLS-ALPN-01 validation, which does use port 443, but Certbot has not implemented it yet.)

krisspringer · April 17, 2020, 7:00pm

Ok, so I opened both ports 80 and 443 and was successful in installing the cert. Then I closed both ports again. Now the port 11443 translation works as expected.

My question now is will the cert auto-renew next month? Or will I need to open port 80 in order for it to auto-renew?

ezekiel · April 17, 2020, 7:13pm

Port 80 will need to be open for the duration of each HTTP-01 Challenge validation attempt. So, if you do not want Port 80 to simply remain open, then you’ll have to open the port each time.

Osiris · April 17, 2020, 7:16pm

In addition to @ezekiel’s post (): see also the following article from the Let’s Encrypt documentation: Best Practice - Keep Port 80 Open.

system · May 17, 2020, 7:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.