ISP makes ports 80 and 443 unrecheable

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: yaosap.com yaosap.net

I ran this command:sudo certbot -d yaosap.net --https-port 50443 --http-01-port 50080

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for yaosap.net

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: yaosap.net
Type: connection
Detail: 88.127.174.18: Fetching http://yaosap.net/.well-known/acme-challenge/6XqFBMfyWEwduWnX0N_7ZH6W-nlIXbR-fLCCr-W2r_Q: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Server version: Apache/2.4.57 (Debian)

The operating system my web server runs on is (include version):

Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm

My hosting provider, if applicable, is: free.fr

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, I use configuration file

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Hi,
I installed a web server on my workstation. I used to renew certificate without problem. Now, my ISP no longer allow access to 80 and 443 (and any below 40000). I changed my internet box so 50080 redirect to port 80 on my computer and 50443 to 443 butI can't renew my certificates.

Could you help me please ?

If the Internet can't get to your name on 80 or 443 (and so you're getting a certificate for an "internal-only" system), then the only challenge you can use to get a certificate is the DNS-01 challenge. (It still needs port 53 on your DNS server to be globally available, but tends to be pretty common.)

4 Likes

Hi @nicolasc, and welcome to the LE community forum :slight_smile:

I don't think that is going to do what you are expecting it to do.
But I may be getting ahead of myself...
So, what did you expect those setting to do?

3 Likes

hi rg305,
thanks for your answer.
I configured my internet box in a way that traffic coming on port 50443 and 50080 is redirected to port 443 and 80 on my computer, because my ISP forbid using port 40000 and lower.

As I suspected.
Those settings won't get you a certificate.
They will only set the local certbot HTTP port to 50080.
[ I doubt the --https-port setting will do anything at all without using --nginx ]
The Internet port requested by the ACME server will always be 80 for HTTP authentication.
It sounds like you will have to do the authentication via DNS.

4 Likes

You seem to be using Gandi as your DNS provider. Certbot itself does not provide a DNS plugin for Gandi, but there is a third party Certbot Gandi plugin: GitHub - obynio/certbot-plugin-gandi: Certbot plugin for authentication using Gandi LiveDNS

How did you install Certbot?

Edit: Looking at the version number of Certbot (2.1.0) and your Debian version (Bookworm), it looks like you've installed Certbot using apt. Luckily for you the certbot-dns-gandi plugin is packaged in Debian Bookworm: Debian -- Details of package python3-certbot-dns-gandi in bookworm. See the Github repo I've mentioned above for any documentation of the plugin. We probably don't have any experience with it on this Community.

6 Likes

Have you considered voting with your money and move to an ISP who supports what you need or want?

2 Likes

Thanks ! I'll take a look on it.

1 Like

Hi Bruce, my ISP is very nice and unexpensive.

thanks rg

1 Like

Osiris,
thanks again, it did the trick.

2 Likes

Glad you got the plugin working.

Note that if port 443 (and 80) is blocked by your ISP and you want to run a publicly reachable website, your issues are not only with getting certificates: nobody from the internet will be able to access your website on the regular HTTPS (and HTTP) ports. They'd need to manually add the :50443 port (for https://) to the URL in their address bar.

4 Likes

You can also change ports using the somewhat new Origin Rules beta on Cloudflare.

5 Likes

well, isn't that interesting :slight_smile:

4 Likes

It is possible to achieve similar results with a Cloudflare tunnel. This is notably less complex. Changing ports was historically not possible without an Enterprise plan IIRC.

While it's a feature I would prefer to avoid due to the unnecessary introduction of additional complexity, I can appreciate that it could be beneficial in situations like this where an ISP blocks certain well known ports.

4 Likes

Although that could be OK if they get links to the site that explicitly include that port as part of the link. They could just not, for example, type in the domain name by itself in the browser in order to visit the site.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.