LE client needs to bind to port 80, which I'm already using

i see same error/problem with nginx, on old git (28-october)
webroot is the way.

Small typo, you use at the end of your line: ‘auto’. That must be ‘auth’.

@let’s encrypt dev-team:
why not using a less essential port (e.g. 81 or 82) to provide the challenge code?
Sure this will need some firewall and routing config, but in that case we could use the well-working standalone client for cert renewal while keeping our e.g. apache running for ports 80 and 443.

2 Likes

Or let us specify a port to issue the challenge code, so we could use these on NATed servers by setting up port forwarding appropriately.

4 Likes

Just generated my first cert and this is really intrusive, it doesn’t bind to a single IP either so if you have multiple webservers bound to different IPs then it forces you to close those too.
Having the ability to bind to another port would be a great idea.

2 Likes

I propose to solve this issue as follows:

Note: you may want to change 9999 to a different value

 

  1. make sure apache modules mod_proxy and mod_proxy_http are enabled

a2enmod proxy proxy_http

  1. add the following to the mod_proxy config file (usually /etc/apache2/mods-enabled/proxy.conf)

<IfModule mod_proxy.c> ProxyPass "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" retry=1 ProxyPassReverse "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" <Location "/.well-known/acme-challenge/"> ProxyPreserveHost On Order allow,deny Allow from all Require all granted </Location> </IfModule>

  1. if you have a local firewall running: make sure it won’t block access from localhost to localhost:9999

  2. run letsencrypt-auto with the http port set to 9999

letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d your-domain-here.tld

 

That way your standard apache will recognize the request from the letsencrypt server and forward it to the letsencrypt client if it’s running.

Note: if the letsencrypt client is not running your local apache will recognize that during the proxy call and re-try to contact the local letsencrypt client only after a timeout of a minute. You can find a corresponding error message in the log. So if you try to “test” the setup using your browser make sure to wait a minute before actually running the letsencrypt client.
Again: If you manually call an url beginning with /.well-known/acme-challenge/ without having a letsencrypt client running at that moment and you then do not wait for a minute afterward => then the letsencrypt server may not be able to contact the letsencrypt client.
So just don’t manually try to load an url beginning with /.well-known/acme-challenge/ and apache won’t block the request from the letsencrypt server.

Added parameter retry=1 so this should not be an issue anymore :innocent:

9 Likes

Thank you for your help.
But in my case, I have to use 2 servers because LE is not supported by my nas so.
My nas (syno) has a reverse proxy and redirects http requests on the port 9999 of my second server (ubuntu)
On this server, I execute LE with your paramaters.
But it doesn’t work and failed with :
“Failed authorization procedure. www.domaine.fr (http-01): connection :: The server could not connect to the client for DV :: Could not connect to http://www.domaine.fr/.well-known/acme-challenge/Ktk5ca5PLu7IZi2Uh4Duo1grTt9_0P8g406b7gTnx48

:cry:

@mafiaman42:

please don’t hijack this thread
in your specific case you probably need to make sure that your nas does the proxy redirection mentioned in step 2 above => but of cause not with http://127.0.0.1:9999/.well-known/acme-challenge/ as the target but with http://put-the-name-of-your-second-server-here:9999/.well-known/acme-challenge/

1 Like

+1 for this improvement!

It’s very inconvinient that you have to stop your web server to use acme.

IMHO this improvement is must do before going public.

[quote=“c0ba, post:13, topic:2739”]
It’s very inconvinient that you have to stop your web server to use acme.
[/quote] that’s why i use webroot authentication plugin

For letsencrypt client’s webroot authentication plugin see

After following this, LE stops complaining about port 80 but still complains about 443. How can this be improved, so that I can use LE without stopping apache on port 80/443?

did you add the parameters

--standalone --standalone-supported-challenges http-01 --http-01-port 9999

when calling letsencrypt-auto ?

I did only used --http-01-port 9999. I tried webroot now and it worked without any problems. Thx anyway.

@thomas @mikeskril That option is not supported yet by the spec and the server always uses 80 / 443.

https://github.com/letsencrypt/letsencrypt/issues/1357#issuecomment-153940848

1 Like

Below is what I do now to get certs without stopping apache.

in /etc/letsencrypt/cli.ini I have:

authenticator = webroot                                                                                                                        
webroot-path = /var/www/                                                                                                                       
server = https://acme-v01.api.letsencrypt.org/directory                                                                                        
domains = mydomain.foo                                                                                                                       
renew-by-default                                                                                                                               
agree-dev-preview 

running LE:

./letsencrypt-auto --config cli.ini auth

I will let cron run every 60 days to renew the certs.

I think thats the best solution for me at the moment.

2 Likes

That’s fine, yeah. :+1:

1 Like

guys.
this is meant as an howto so that people can easily find out how to go on if they receive the error message “LE client needs to bind to port 80, which I’m already using

you’re now writing about totally different things but that’s just not fair for other users.
they will have a hard time now to find the guide above in this thread now.

if you have questions, ask them publicly on a new thread.
if you want to have a private chat, i propose to start one with each other.
you may want to delete your messages above to clean up this.
thanks.

1 Like

Don’t know why this worked in your case, but I had to specify the path to cli.ini, means:
./letsencrypt-auto --config /etc/letsencrypt/cli.ini auth

Furthermore in my case (Linux Mint) apache webroot-path is /var/www/html

But with both steps corrected indeed everything worked perfectly without stopping apache and without need for manual interaction.
This indeed is the solution for me.
Thanks a lot!

1 Like

I use the same as you do. I was not clear in my last post… I’ve used --config cli.ini because I was in /etc/letsencrypt/ :smile:

Anyway, LE should look by default for the config file /etc/letsencrypt/cli.ini and load it if present.

By default, the following locations are searched:

/etc/letsencrypt/cli.ini
$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).

well when I have port redirection of port 80 for another device already then I am using it, and I think the proxy thing isnt the best way, I think the server should just call on other ports so I can for example set up redirection of port 450 or whatever to my Raspi running the LE Client…