Persistent non-standard port in renewal

I moved a gitlab+nginx server using a letsencrypt cert to a non-standard port. When it came time to renew the cert I found that it’s not possible to do it that way. I then moved the server back from the non-standard port and reopened the firewall. sudo letsencrypt renew still fails:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Invalid port in redirect target. Only ports 80 and 443 are supported, not 7918. Skipping.

I can’t find where the renewal request is finding the non-standard part, it’s not in the server config, which is served normally at 443.

Attempting to debug this has also led to:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Skipping.

How can I remove the non-standard port from the request, and how can I reset my request limit?

Hi @neilger

there is such a redirect. Your old check - - has only timeouts.

Rechecked your domain all is redirected to that port.

Domainname Http-Status redirect Sec. G 301 Html is minified: 109,46 % 0.226 A 301 Html is minified: 109,46 % 0.230 E 302 Html is minified: 100,00 % 3.723 A

Same with /.well-known/acme-challenge.

Find and remove that redirect you have created.

1 Like

Thank you for the rapid response. I had missed a reconfiguration step, after correcting that the renewal went through. I appreciate the pointer to my oversight.

If port 80 is free, you can use

certbot renew \
  --standalone \
  --pre-hook "command to open the firewall on port 80" \
  --post-hook "command to reverse the former" \
  --deploy-hook "service nginx reload"

to tell certbot to spin up its own webserver to do its validations without touching your nginx.

1 Like

Ah, nice, very helpful, I had missed that alternative.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.