Beware of Privileged Ports. "The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feaure, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you."
Your Port 1521 is above 1024 but Ports 80 & 443 are below 1024.
So possibly how Port 1521 is configured may still require Ports 80 & 443 to be configured different,
on the Router and Windows 11.
You'll need to use DNS validation to get your certificate if your service provider does not allow port 80 (for HTTP validation). You could start with Manual DNS validation (manually updating a TXT record in your domain DNS).
I think I have some information as to what allows a port to be shown as "open". Oracle's ORDS has 3 primary configuration files. On Windows they're typically located in a folder similar to C:\app\product\21c\dbhomeXE\network\admin. The three files are: sqlnet.ora, listener.ora and tnsnames.ora. The port 1521 is specified in both tnsnames.ora and listener.ora
As you'll recall, I originally configured ORDS to work on Port 9090, and use the HTTP protocol. I tried to install ORDS, and reinstall it using port 80. When I checked out the ports with Open Port Check Tool - Test Port Forwarding on Your Router, the port 9090 was no longer open, but port 80 was open. When I went to the CertBot command windows and gave the command: >certbot certonly --webroot -w C:/app/product/ords --key-type rsa -d removed on request -v I got the response: >certbot certonly --webroot -w C:/app/product/ords --key-type rsa -d removed on request -v
I uninstalled ORDS again and used port 443. Same result.
So when I have port 80 open, I still receive errors from CertBot.
My goal was to have user traffic travel on port 9090 for httpS, similar to how it's traveling now for http. Any ideas?
Hello rg305
I tried adding that argument. The line I submitted to CERTBOT was: certbot certonly --webroot -w C:/app/product/ords --key-type rsa --rsa-key-size 2048 -d removed on request -v
The verbose response was:
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: C:\Certbot\renewal*removed on request*.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for removed on request
Performing the following challenges:
http-01 challenge for removed on request
Using the webroot path C:\app\product\ords for all unmatched domains.
Creating a web.config file in C:\app\product\ords.well-known\acme-challenge to allow IIS to serve challenge files.
Waiting for verification...
Challenge failed for domain removed on request
http-01 challenge for removed on request
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: removed on request
Type: connection
Detail: 98.110.226.5: Fetching http://removed on request/.well-known/acme-challenge/Rqx_RMBW7puQPCQRtLRaaYPi9qmM5U7Wp9sqmMAfKAs: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Cleaning up challenges
Cleaning web.config file generated by Certbot in C:\app\product\ords.well-known\acme-challenge.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.
Hello @rg305,
Here's the results of certbot certificates
Found the following certs:
Certificate Name: removed on request
Serial Number: 38cda745531c8cf49765d88f7762eb9ab36
Key Type: RSA
Domains: removed on request
Expiry Date: 2024-05-17 20:55:41+00:00 (VALID: 52 days)
Certificate Path: C:\Certbot\live*removed on request*\fullchain.pem
Private Key Path: C:\Certbot\live*removed on request*\privkey.pem
Do I just delete the contents of the "live" folder?
It has the dates of 2/17/2024
The server is currently supporting http. removed on request:9090/ords/f?p=108
Hello Again,
I named it back to the original.
That certificate is NOT working. Apparently Oracle requires an RSA certificate. That one was NOT RSA.
Phil
Hi. The problem was with Oracle's ORDS release 23.4. Long story short, it creates a configuration file with multiple errors. The certificates from Let's Encrypt were fine.
Is there a way to remove the domain names from this post? It's in almost every reply.
