Manual activation of port 443

HiI am using certbot with Apache on Ubuntu. It works well, However I am not using standard SSL port.
So each time I run the script I have to open the 443 port.
I have try to specific a port with certbot with success. I presusme it likes with my Apache configuration but I am stuck (Apache is listening 443, but My firewall is forwarding my custom port on the web to the 443 internal)

Thanks for your help. Here is certbot messages if it can help.
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/WHATEVER.net.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for jeedom.baviere.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (WHATEVER.net) from /etc/letsencrypt/renewal/WHATEVER.net.conf produced an unexpected error: Failed authorization procedure. WHATEVER.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/WHATEVER.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

You’re not allowed to do that, validation requires port 443 or 80 on the outside. If nether of those are useable you’ll have to use the DNS challenge (Certbot only supports this in manual mode).

Ok thanks that’s clear. A bit disapointed but it is a feature.

It’s mainly for security. There are plenty of instances where you may not control a domain, but have basic user access to a webserver. The ability to listen on some high-numbered port does not imply you actually control the domain.

it is not a feature it is the way the protocol is written

:smiley:

you can review the protocol specifications here: https://tools.ietf.org/html/draft-ietf-acme-acme-07

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.