Setting up Certbot for use with nginx port 80 conflict

Help
1

Certbot requires an open port 80. However, I have nginx set up to route port 80 traffic through the SSL port. I'm confused as to how this should be set up.

My domain is: winvm.link

I ran this command: N/A

It produced this output: N/A

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Win 11 Pro 21H2

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

2

Certbot doesn't require that you let it listen on port 80. (It can, but there is no requirement)

Certbot is more than happy to use your existing webserver. You can either

  1. use the automatic way with certbot --nginx or
  2. tell certbot manually where the webroot is: certbot certonly --webroot -w /path/to/webroot --deploy-hook "service nginx reload" and install your certificates manually.
1 Like
3

What do you mean with "requires an open port 80"? The usual context such a phrase is used in combination with the http-01 challenge (which is part of the ACME protocol and not directly related to Certbot) where it means that the Let's Encrypt validation server should be able to connect on port 80 and retrieve some specific content. And that usually is related to things like firewalls, routers and/or ISPs blocking port 80.

2 Likes
4

Also, there are probably better clients on Windows.

Also/2, nginx on Windows? Why?

1 Like
5

It's the reverse proxy I knew of. I've had success running it in Home Assistant.
Everything works fine, except the hassle of manually renew my cert.

6

Thank you.

1 Like
7

I've started following these instructions...
Certbot instructions

8

Why manual renewal? You can probably automate it.

1 Like
9

I cannot recall exactly why, but when I set this all up, it was not possible using win-acme for auto-renewal with NC. Reason I'm trying cerbot.

10

Ok, just tell us when you encounter problems. certbot renew --dry-run should tell you if there are issues.

2 Likes
11

In setup, I receive the below error (-v option doesn't tell me any more)...

The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Here's my setup...

  • This whole thing is installed on a Hyper-V based Windows VM
  • This VM has a Static IP which I get from creating such through my VPN provider
  • My domain (winvm.link) is directed/linked to that IP
  • NGINX is stopped
  • Basic Windows security
12

Don't stop nginx, use the certbot webroot plugin instead of the standalone one.

certbot renew --webroot -w [path to webroot] --deploy-hook "[command to reload nginx]"

(assuming nginx accepts connections on port 80 -- you only need to run that command once. Then the autorenew timer should take over and remember your options.)

1 Like
13

With regards to the port 80 connections... I presently have nginx setup so that port 80 connections are routed to the SSL port. Should I remove that?

14

You can keep it, as long as you use the webroot you are redirecting to.

15

It's asking for my webroot... do I enter the nginx directory or create a new directory for this?

16

You enter the directory from which nginx serves static files.

It's the one containing the single "welcome to nginx" html page.

1 Like
17

I did not have such a directory, so this is what I came up with in my conf file...

worker_processes  1;
events {
    worker_connections  1024;
}

http {
	include       mime.types;
	include       C:/nginx/sites/radarr.conf;
	include       C:/nginx/sites/sonarr.conf;
	include       C:/nginx/sites/bazarr.conf;
	include       C:/nginx/sites/sabnzbd.conf;
	include       C:/nginx/sites/qbt.conf;
	default_type  application/octet-stream;
	sendfile        on;
	keepalive_timeout  65;

	server {
        
		root /static;

		error_page   500 502 503 504  /50x.html;
        	location = /50x.html {
        	root   html;
        		}
    		}
}
18

Does it work?

You can check with a a dry run renew.

19

I entered /static as the webroot and message comes back stating the directory doesn't exist. I've restarted nginx.

20

I assume it's because /static isn't a directory according to Windows