I have set up a Mosquitto broker on a server with a domain name. To allow internet clients to connect to the broker, I'm using port 9001 with the WebSocket protocol. Now, I want to secure the client connections by using a CA (Certificate Authority) certificate. This is necessary for building a web application that communicates with this broker.
However, I have a specific requirement: I want to keep port 80 closed and only use port 9001 as the public-facing port.
Is it possible to use Certbot with Let's Encrypt to obtain SSL/TLS certificates in this scenario?
I attempted to use the following command after stopping the broker container to make port 9001 available:
The ACME HTTP Challenge needs port 80 open. But, you could use the DNS Challenge or possibly TLS-ALPN
The --http-01-port option changes the port that Certbot listens on. That is for when the local network re-routes the incoming port 80 request to a local network service on a different port (such as by using router NAT).
Just expanding and clarifing what @MikeMcQ wrote above:
for the http-01 challenge, your server must accept a port 80 connection from LetsEncrypt. the Certbot command flag you used is designed for situations where you want to put a proxypass on port 80 to the higher port.
you can use a DNS-01 challenge
since you do not have other services on port 80, the simplest solution is to run Certbot in --standalone mode and use the pre/post hooks to toggle firewall rules for port 80 traffic. I actually do this with port 53 and acme-dns for DNS-01 challenges myself, only running the DNS server and allowing traffic when completing ACME orders. this is relatively simple to set up. if you're unfamiliar, i can share instructions.
In this situation, while you are accepting traffic on port 80, both the firewall rules and server only exist when running Certbot. Running an ephemeral service like this should be fine for your security model.