Obtaining cert when port 80 is blocked by ISP & redirected by noip

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.mlake.net

I ran this command: variations of the certbot command

It produced this output: in most cases, 8080 not supported

My web server is (include version): Apache 2.4.52

The operating system my web server runs on is (include version): Linux Mint 21.1 Vera (base: Ubuntu 22.04 jammy)

My hosting provider, if applicable, is: cox.net, noip.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.21.0

2

Hi @Snake1949,

Try using the DNS-01 challenge, it doesn’t require access to your server. Choose a DNS Provider that supports an API that can create, edit, delete DNS Records. Only TXT are required.

4 Likes
3

If you have some Apache admin skills and you have port 443 available you could look at using Apache's mod_md

It supports TLS-ALPN challenge which uses port 443:
It is a built-in ACME Client: mod_md - Apache HTTP Server Version 2.4

4 Likes
4

I'm pretty much a dummy when it comes to this stuff, but I don't see how to initiate a DNS-01 challenge in certbot. If I use the --manual option it tries to authenticate me via the http option by me placing a particular file in a particular place. And then I get the error that it needs port 80 to do the authentication.

Port 80 is blocked by my ISP, and port 80 is being redirected to 8080 by noip.com

5

It's been many years since I've messed around with Apache, and now I'm old. :slight_smile: But, if I can't find anything else, I'll give mod_md a shot. Thanks.

2 Likes
6

You could also use Caddy rather than Apache's mod_md. Caddy also defaults to TLS-ALPN (which uses port 443 rather than 80), and is IMO considerably easier to configure.

5 Likes
7

This is the first I've heard of Caddy. At first glance Caddy looks almost too easy to make a site https. Thanks!

3 Likes
8

It's very easy indeed. It does default, IIRC, to getting certs from ZeroSSL rather than Let's Encrypt, but pretty much a cert is a cert. It's generally my go-to choice for a web server or reverse proxy.

5 Likes
10

I see:

Name:    www.mlake.net
Address: 34.198.182.201

curl -Ii http://www.mlake.net/
HTTP/1.1 301 Moved Permanently
Date: Fri, 13 Dec 2024 16:30:25 GMT
Server: Apache
Location: http://70.180.27.77:8080     <<<<<<<<<<<<<<<<<<<<
Content-Type: text/html

This "type of forwarding" will NOT work with LE using HTTP-01 validation.

3 Likes
11

Furthermore, since DNS resolves as:

Name:    www.mlake.net
Address: 34.198.182.201

Name:    mlake.net
Address: 70.180.27.77

https://www.mlake.net/ must be (initially) served by IP 34.198.182.201 [not 70.180.27.77].

2 Likes
12

That's curious. 34.198.182.201 resolves to <amazon.com>.

My ISP is <cox.net>. <noip.com> provides me with my domain (<mlake.net>) and redirects port 80 to port 8080. I don't know what this has to do with <amazon.com>.

13

Not exactly. The IP is assigned to Amazon but resolves to an EC2 instance in AWS. That is one of their cloud computing offerings.

My guess is that is what no-ip's redirect service runs on. An Apache server replies

curl -i -m7 http://www.mlake.net
HTTP/1.1 301 Moved Permanently
Server: Apache
Location: http://70.180.27.77:8080

# And utterly fails with HTTPS
curl -i -m7 https://www.mlake.net
curl: (7) Failed to connect to www.mlake.net port 443 after 26 ms: 
Connection refused

The Let's Encrypt HTTP Challenge does not support port 8080 so that can't be used.

If that's a no-ip service TLS-ALPN won't work either. You won't be able to setup their service to reply properly.

If you have control of port 443 you could change the DNS for www.mlake to be your public IP directly and do TLS-ALPN (mod_md or Caddy) there. This would eliminate no-ip involvement.

Or, to avoid all these HTTP(s) routing problems use the DNS Challenge as earlier suggested. At least you could get a cert. You'd still have to sort out HTTP(S) flows for whatever service you want to run.

4 Likes
14

I see. Ok, thanks.

3 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.