Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: fcddev.ddns.net:81
(I need to generate the certificate for this port instead of 80 or 443)
I ran this command:
certbot certonly
It produced this output:
Problem binding to port 80: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions
My web server is (include version):
Windows 10 IIS
The operating system my web server runs on is (include version):
IIS
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes Windows 10
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.6.0
Acording to Bard AI: To generate two separate SSL certificates (one for port 80 and one for port 81), you can use a certificate authority (CA) such as Let's Encrypt. When generating the SSL certificates, be sure to include the port number in the Subject Alternative Name (SAN) field.
That is completey wrong for Let's Encrypt. There is no such thing as a port number in the SAN list.
There are several ways to get a cert from LE but they all require a Challenge. The HTTP Challenge will require something listening on port 80. Why is port 80 not available?
Also, port 80 is usually for HTTP which does not even use a certificate.
And this is exactly why people should not trust and get hyped by the current """AI""" bots.. This is just plain bullcrap. SAN entries cannot have a port number.
Certificates, even without mentioning ports, can be used for ANY port..
With regard to the error: are you running Certbot with administrator rights? And is IIS still running on port 80? And I'm guessing here that you're using the standalone plugin; why are you using the standalone plugin anyway? Wouldn't the webroot plugin make more sense if you already have a working IIS?
I added the port number to the domain when generating the certificate
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): fcddev.ddns.net:81
I am already using port 80 for another web server (terminal Server Plus built-in web server). I need a second web server using IIS. I've port mapped 80 and 81 on the firewall to this server. It sounds like you are saying I don't need to add a port when specifying the domain.
Is that what you are saying? If so, I could stop the TSP service and try again without specifying a port, then restart after. Tried that but the same certificate can't be used for both servers. So I'll try generating a second certificate with a different domain?
The port number is discarded as it is not valid in a cert. Certbot probably should warn about this but it does not. You got a valid cert yesterday for domain fcddev.ddns.net (below)
While the HTTP Challenge to get a cert uses port 80, you only use a cert for ports using TLS. HTTPS on port 443 is very common and generally what is used for websites. You have some kind of server responding to HTTPS on port 443 right now using this cert.
Your understanding of ports and certs needs adjustment
See the SSL Labs report showing your server responding on port 443 using HTTPS. Also note it is sending a root cert in the chain which it should not be.
Why not? A cert can be used in several services at the same time. IIS needs the .pem to be converted into its Windows format. I don't recall that process off-hand.
I don't see any cert from today. And, the cert itself is not broken. The chain you send along with it has an extra cert. That is usually a config problem in your web service. In this case sounds like TSPlus but I am not familiar with that product.
Well, the cert is still working with the built-in TSP plus service so I guess I can ignore the extra cert for now. I need to figure out how to create a second certificate for IIS that is configured to listen on port 81. Any guidance would be appreciated.
Yes, this is exactly what I want. The cert created with TSPlus was done within the windows program so I don't know. I could ask TSPlus support where it is if that would help. Sorry, I'm not too smart when it comes to this
TSplus had the below info in their docs. You should be able to take the appropriate files from there and import them for use by IIS. I am not an IIS expert so cannot instruct the specifics. Hopefully one of our Windows experts will advise.
You also need to ensure IIS can handle HTTPS on that port.
You could also ask about this on TSplus forum or support. They should be able to help on how to have their product interact with other common services.
As TSPort is consuming port 80 you won't be able to use anything else to per http validation (certbot etc) for your certificate. Some apps allow http port sharing via http.sys but probably not this one(?).
There's a few ways to do it. You can probably re-use the cert from TSPlus by importing the cert and key into the local machine certificate store, usually the local machine My/Personal store (it's sometimes easiest to use openssl to convert to PFX first), then selecting it in your IIS website bindings as a new/updated https binding on port 81. Alternatively, you can use DNS validation to get an additional cert (rather than using the default HTTP validation) and apply it to IIS.
Another method to consider is running IIS as your main port 80/443 web server then reverse proxy specific paths back to backend services, e.g. you could have https://yourdomomain/tsplus/ or a subdomain like https://tsplus.yourdomain/ go to TSPlus running on a different port and other apps/services could go on other ports as well.
The advantage of that is you can just use something like https://certifytheweb.com (which I develop) to manage the IIS certs with http validation and you don't then have multiple tools managing multiple certs.
Yes, it's complicated. There's no super easy way to run multiple web servers on a single domain + port.
