Renew standalone does not use http01_port


I'm on debian 8 with certbot 0.10.2
I successfully generated a cert with the following command :
certbot certonly --standalone --http-01-port 4000 -w /home/letsencrypt -d
This allow me to generate the certificate without stopping the server.
The certificate works well with nginx.

Now I want to check the renew :
certbot renew --dry-run
I have the following error :

Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from 403 Forbidden

This is the file /etc/letsencrypt/renewal/ :

#renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

#Options used in the renewal process
account = e209a504e915174e35112ce32bbe9f95
http01_port = 4000
authenticator = standalone
installer = None
webroot_path = /home/letsencrypt,

I understand that the port 4000 is not used by the renew (while it worked for the creation).
I found no option to specify port at renew time, and found no thread here and there that answers this specific problem.
Any help will be much appreciated.

Let’s Encrypt will always attempt to contact your host on port 80–that isn’t configurable and is non-negotiable. The --http-01-port parameter tells certbot which port to listen on in case you have port forwarding or some other complication in place, which would a connection on port 80 of a public-facing IP and send it to a different port of the host on which certbot is running. But no matter what you specify there, Let’s Encrypt is going to attempt to connect on port 80. If that isn’t possible or acceptable, you’ll need to look at DNS validation instead.


Hello Danb35
Thanks for your answer.

Let’s Encrypt will always attempt to contact your host on port 80–that isn’t configurable and is non-negotiable.

From my point on view this is not exact. I launched certbot certonly --standalone ... while nginx was running and listening on port 80+443, and I did not configure any port forwarding or other complication. This means that certbot really listened port 4000, and Let's Encrypt really requested port 4000 at creation time

But at renew time this was not the case.
Tell me if I'm wrong.

Well, yes, certbot will listen on whatever port you tell it to--and that setting will persist to renewal time as well.

I can't account for what did happen, but this isn't it.

ok mystery …
In that case I don’t see why there is such option --http-01-port if it is not used. (I’m still not convinced… :slight_smile: )

Using another port would allow me to install and renew the certificate on any serveur, whether there is a web server or not, and whatever the server is : nginx, apache, nodejs etc. (of course the reconfiguration of the server is always necessary)

Now I’ll have to write several internal procedures, depending on which web server is running, and different if there is no webserver.

Disappointing… :frowning:

It is used, it just isn't used in the way you think it is. It controls the port on which certbot listens; it does not control the port that Let's Encrypt contacts--the latter is fixed by the ACME protocol as port 80.

...or use DNS validation as I suggested earlier.

all right thanks a lot for your help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.