Problem with port 80 - standalone

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: home-regions.ddns.net

I ran this command: certbot certonly

It produced this output: How would you like to authenticate with the ACME CA? I press 1 (spin up a temporaary webserver) - standalone

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version):Headless Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin 1.998 (local access only)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0 (installed from repository via apt)

The probem I have is after temporary shutting down Apache to free up port 80, it seems to authenticate, certbot needs to connect to my apache server, but it can't if it's shut down.

I followed instructions to create a standalone certificate by using certbot certonly, then selecting option 1, then after entering my domain details, and email address, it tried to authenticate using my domain, on port 80, which to create a standalone cert I have to have port 80 free.

This is what happens during the authentication phase:-

http-01 challenge for home-regions.ddns.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

Which tells me that it's looking for that folder on my webserver, but it's not there because I had to temporary shut down Apache so that certbot can bind to port 80.

If you already have a working Apache, you don't have to use the standalone plugin. Which guide or how-to told you to do so? You could use either the apache plugin using --apache or the webroot plugin. See the Certbot user guide for more info: User Guide — Certbot 1.29.0 documentation

That said, I can't connect to your webserver on port 80 either. You're using a dynamic DNS service looking at the domain, is the IP address (68.0.184.86) of the hostname correct?

3 Likes

Yes, the A record points to my actual WAN IP address, and I should have mentioned, the certificate is for my email server running Postfix and Dovecot, I don't need it for my webserver.

Oh and I just now found out, by calling my ISP, that they block incoming/outgoing on port 80, but do not block other ports, that's how I can run my email server, but I run Apache on a non common port and use the dynamic service's port redirection, but currently I have apache stopped so that I can attempt to get a stand alone certificate for my email server.

It should be possible to also use your Apache to get a certificate for a hostname it doesn't actually know. At least, it works for my Apaches configuration.

But it does require a working webserver on port 80. And currently, connections on your port 80 are timing out. Perhaps a firewall or NAT router preventing access?

2 Likes

can I use a different port on certbot for the authentication?

Port 443 is also usable with aid of the tls-alpn-01 protocol, but Certbot does not offer that challange type. Other ACME clients might be able to though. DNS using port 53 is also a possibility, but for automation it requires a DNS provider offering an API to add and remove TXT RRs. I don't think DDNS.net offers that.

3 Likes

How would certbot react is using port redirection? Try my domain now, and you should see an unavailable notice. I created a port redirect to redirect port 80 to my apache non common port.

That should be enough to make Certbot work with Apache. You could try to get a certificate by running:

certbot certonly --apache -d home-regions.ddns.net

By the way, looking at the CT transparancy logs at crt.sh | home-regions.ddns.net it looks like you already have a ZeroSSL certificate for your hostname? Why not just use that one?

2 Likes

I tried, but google and most other email server rejected it, so I cancelled it and reverted postfix config back to default.

Could have multiple reasons, to name a few:

  • incorrect hostname
  • incorrect certificate chain
2 Likes

I followed the advice and tutorial from a ZeroSSL member to the letter and my postfix log still shows google rejected the certificate.

I wanted a cert for postfix, so that the email server can send emails to users that register on a site I'm installing, so I need to be able to test that first to make sure postfix can send test emails to just about any email server including outlook, and gmail.

The rejection will usually explain why it was rejected.

2 Likes

postfix was trying to send emails to google using port 25, not 587 when using TLS

And their rejection said... ?

3 Likes

Why would Google reject your ZeroSSL cert, but accept a totally unsafe self-signed cert?

When SENDING emails, your mailservers certificate is of no importance. Your TLS certificate from ZeroSSL or Let's Encrypt would be for your receiving mail daemon, not the sending mail client. Some other thing is problematic and I wouldn't rule out an incorrect configuration.

3 Likes

It doesn't, google and the outlook are rejecting any certificate, but I've been playing around with postfix for a few days now, clearing log file to be able to read them properly, without having to sift through megabytes of log, changing this and that in config files, and now I probably screwed it all up, so yeah, I'm going to forget it, but thanks for your help, it looks like it'll take weeks to get something working. So for now, I'll just uninstall Apache, postfix and dovecot, and just use the server as a plex media server instead.

Well, that's most likely not necessary at all?

2 Likes