New letsencrypt auto-renewal is trying to us port 80 rather than 443

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: Certbot auto update

It produced this output: Unable to find a virtual host listening on port 80

My web server is (include version): 2.2.15 (CentOS)

The operating system my web server runs on is (include version): Centos 6

My hosting provider, if applicable, is: Rogers

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The previous auto update by certbot would appear to use port 443 to update and this would be in the log/email

Performing the following challenges:
tls-sni-01 challenge for
Encountered vhost ambiguity when trying to find a vhost for but was unable to ask for user guidance in non-interactive mode. Certbot may need vhosts to be explicitly labelled with ServerName or ServerAlias directives.
Falling back to default vhost *:443…
Waiting for verification…
Cleaning up challenges

Now it seems to only use port 80 which is blocked by the ISP and results in this messages

Performing the following challenges:
http-01 challenge for
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

How can I configure cerbot to use the https port rather than the http port? All the previous updates over port 443 happened perfectly.

Many thanks, Mike

The port 443 challenge, “tls-sni-01”, has been deprecated and replaced with the http-01 challenge. Please see the API Announcements page for details. You’ll need to add a vhost on port 80 in order to renew.

Although not as easy to use, you can still use DNS challenge method to renew your certs.

@jsha can you point me to this page, I’m not finding it. I’d like to understand how exposing a site over HTPP rather than just HTTPS makes sense, thanks. I will work with my ISP to try and open port 80 but IIRC that was part of a “business” plan when I got connected yarns ago.

@rg305 I have seen references to and examples of letsencrypt-auto but I’m not finding any solid documentation. Do you have recommendations in this regard? I hope that it does not mean changing the DNS records every time a cert needs to be updated - if that is the case then I’d opt to go back to self-signed certs.

Many thanks, M

The API Announcements category of this forum:

And this topic, among others:

Let's Encrypt validation aside, websites typically leave HTTP enabled so that they can redirect it to HTTPS.

1 Like

DNS authentication will require an update to the external DNS zone for each renewal.
The easy out is finding an API for the DNS service in use - then it can all be automated.
If you can’t find a match you should consider the complexity of changing DNS service providers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.