Is "cli.ini" still valid and in use

hraycrum69 · September 17, 2022, 5:22am

I'm doing a fresh install of Certbot using your new instructions (snap). After installing cli.ini is not there. Can it still be used to set the http port?

rg305 · September 17, 2022, 6:05am

It might not be present when "empty", but it can still be used.
See:
User Guide — Certbot 1.29.0 documentation (eff-certbot.readthedocs.io)

Osiris · September 17, 2022, 6:36am

Yeah, it's not present by default. So OP can make one.

Personally, I don't use cli.ini any longer. Everything able to set there can also be set on the command line when getting a certificate and is remembered somewhere, either on the ACME server in case of the email address or in the renewal configuration file(s) in case of the rest.

I don't issue new certs very often, so for me personally setting default options in cli.ini isn't really necessary.

hraycrum69 · September 18, 2022, 8:22am

Yes, I inspected the log file and saw where it picked up the http-01 value from the cli.ini file. Unfortunately, the new port can't be accessed by IPv6 but the log says that is Ok. The verification still succeeds.

rg305 · September 18, 2022, 3:20pm

Setting the port for HTTP won't change the port that LE checks.
LE will always try HTTP on port 80 [and nothing else].
It can follow redirects from there; But only to HTTP or HTTPS ports [and only to FQDNs - not IPs].

So, why have that HTTP port setting at all?
Because one can have a web server on port 80 and run certbot on some other port.
But how would the HTTP challenge (on port 80) request reach certbot (on some other port)?
The web service (on port 80) would have to proxy those challenge requests to certbot.
So, what is that benefit of this (port setting)?
One can leave the HTTP challenge request path open, and it will only reach certbot [and only while it is running].

schoen · September 18, 2022, 6:30pm

An additional possibility is that you might have a firewall that is set to forward port 80, as seen by the Internet, to a different port on your server, or something along those lines.

hraycrum69 · September 18, 2022, 8:56pm

That is exactly my setup. I read the statement from LetsEncrypt that says "it does no harm to have port 80 open" but I am taking an extra precaution. Port 80 is forwarded to an unused port in my certbot client that is specified in the http-01 statement. That way if a hacker bangs on port 80, they get nowhere.

system · October 18, 2022, 8:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.