The operating system my web server runs on is (include version): Debian 10
My hosting provider, if applicable, is: NoIP
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ssh
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0
I changed my internet operator and didn’t know that my new operator doesn’t provide normal port forwarding in their routers.
The router gives you the outside world port number that it will forward to the server. So now my server still uses port 443 but router doesn’t allow to forward traffic that comes to port 443 from outside. Instead router gave me port number 33672 that is forwarded to my server port 443. So now I have to contact my server with address infraplanning.com:33672.
That works but now can’t renew my Let’s Encrypt certificate with certbot. Is there any workaround for this problem?
Visible Content: Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.38 (Debian) Server at infraplanning.com Port 443
Visible Content: Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.38 (Debian) Server at infraplanning.com Port 443
Normally, one port answers only with http or https, so the "Bad Request" checking http isn't a problem. https works as expected. There is only a self signed certificate.
That's really bad, because using http-01 validation your server must have an open port 80.
So you have two options:
Ask your provider if there is a solution so you can use port 80 (or)
switch to another validation method, dns-01 + --manual is always possible.
But if your dns-provider doesn't support an API, you have to do that every 60 - 85 days.
You can issue and renew your certificate using DNS validation instead. This is the only workaround available if your ISP doesn't allow usage of ports 80 and 443.
But your current DNS provider (noip.com) doesn't make this easy. Their free service does not allow creation of TXT records, and on the paid plans I don't think they provide an API to modify TXT records, to facilitate automatic renewal.
There are other DNS hosts that make this easier. For example, Dynu is dynamic DNS provider that is supported by a number of Let's Encrypt clients, such as acme.sh.
Thank you so much. I have to inspect how that --manual method works. It’s a bother to validate it every few months manually but it seems be the only choice I have in the current situation.
la 6. heinäk. 2019 klo 11.32 Juergen Auer via Let’s Encrypt Community Support (letsencrypt@discoursemail.com) kirjoitti: