Renew certificates using alternate port (not port 80)


#1

Hello,

I’ve ran in to a rather unique situation, i have both a website and a web radio on the same server, my webserver is running on 443 and the web radio on port 80. I like to keep the web radio on port 80 because many work firewalls block any ports for traffic except 443 and 80.

The problem is pretty obivous, when the certbot is trying to renew the domain it is hitting my domain at port 80 which is the web radio, that doesn’t work.

How can i configure/re-configure the certbot to use an alternative way to renew? Right now i have to manually shut down the radio, reconfigure the apache server and firewall to accept traffic on port 80 then renew and then undo the process to get the radio back up…

Any tips? Thank you!


#2

Hi @cdev

how do you run your web radio on port 80? Is this a web application with a webserver?

Isn’t it possible that /.well-known/acme-challenge/ is handled by a webserver? If you want to use http-01 challenge, you have to use port 80. But you can use a proxy server or a redirect to another server.


#3

Yes, the web radio has it’s own web application, default is set to port 8000 or something but like i explained i have my reasons to run it at port 80.

Could you elaborate or perhaps link a documentation page for how a proxy would be setup/work to renew the certificate? Thanks!


#4

You can use nginx as a simple proxy.

But my main idea was, that you can change your web application direct. You must catch a GET /.well-known/acme-challenge/1234 and answer with the file content of 1234. If you use certbot with --webroot, certbot saves the file in the correct directory.


#5

Ah interesting, so technically if the web radio application has a document root i could perhaps tell certbot to create its content there and it should work? I will try that.


#6

Yep, that’s one idea, and it might work. However, I think he’s also suggesting that you could let your webserver bind to both 80 and 443, and proxy requests for your webradio. For instance, if your webserver is Nginx, you could use a proxy_pass directive to send all traffic for the /webradio path to your webradio service.


#7

And, if the webradio doesn’t use a distinct path, send all trafic besides /.well-known/acme-challenge/ to your webradio service (and not just /webradio) with the proxy_pass directive and use a webroot for /.well-known/acme-challenge/ so certbot can use it.

(I’m not sure if webradios use a specific pass, so I would opt for some “catch all” system for the radio part.)


#8

Or, of course, use DNS validation instead. But the bottom line, since I don’t see that the question has yet been directly answered, is no, you can’t tell LE to connect to a port other than 80.