[SOLVED] Certbot opening port 8080

im running a website using port 8080, because, port 80 doesnt work (for several reasons i dont wanna get into) it runs fine with http in port 8080 i just cant get it to work with certbot

I ran this command: sudo certbot --nginx -d example.com:8080

It produced this output:Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: example.com
Type: connection
Detail: xxx.xxx.xxx.xxx: Fetching http://example.com: Timeout during connect (likely firewall problem)

OS: ubuntu 24.04
certbot version: certbot 2.9.0

You can run your website on whatever port you desire, but you can only perform acme validation on 80 for http-01 (it follows redirects to 443) or 443 for tls-alpn-01 (and 53 for dns-01, but that's quite different)

Is there any other way of doing ssl certification, i really need https

You can probably use the dns-01 challenge. It's not as easy to automate but it works.

Im using this method How To Acquire a Let's Encrypt Certificate Using DNS Validation with acme-dns-certbot on Ubuntu 18.04 | DigitalOcean , but it doesnt give me a cname, and just goes directly to an error

That's a pretty outdated tutorial, but acme-dns is still a good option. You should follow their first party documentation: GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

You could try a --manual DNS Challenge. We don't recommend that as permanent option but it would get you a cert quick and then you'd have time to work out an automated renewal method like acme-dns

See example:
https://eff-certbot.readthedocs.io/en/latest/using.html#manual

If you can control the DNS, you might check out

https://si.okiefrog.org/

It works for me.

When posting questions to this forum please provide the actual error and as much detail as you can. We've seen most errors and can probably help you guess the problem. It sounds like your amce-dns registration step is failing.

Ok i got the fullchain.pem and privkey.pem certs, now what do i do (im very new to this)

What do you need to do?

Different software has different ways of installing certificates. See ssl-config.mozilla.org

I did that and nginx -t gives me this error:
2024/08/01 17:09:10 [emerg] 5455#5455: SSL_CTX_load_verify_locations("/path/to/root_CA_cert_plus_intermediates") failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/path/to/root_CA_cert_plus_intermediates, r) error:10000080:BIO routines::no such file error:05880002:x509 certificate routines::system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed
(Btw i set the config in /etc/nginx/sites-available

You shouldn't copy/paste the /path/to/signed_cert_plus_intermediates value verbatim, but change that value of ssl_certificate to the path to fullchain.pem as provided by Certbot. Same goes for /path/to/private_key but then the path to privkey.pem.

I have done that for both already, i dont know what root_CA_cert_plus_intermediates means and what i should put imstead of it, i only got fullchain.pem and privkey.pem

Probably chain.pem, as it's being used for OCSP stapling. Certbot didn't mention chain.pem in its output, but the file is present in the /live/ directory next to fullchain.pem and privkey.pem.

Thanks now i got website running with https!

Is this still a good explanation of ssl_trusted_certificate for OCSP?

If so, you shouldn't need to set it and it wouldn't be the chain.pem either

Yup.
And to my surprise, OCSP actually might not be a thing in the future (Yay!).

In my own experience, sometimes you will see a warning in nginx log. Just update your root store or upgrade to a newer, supported CA if you have chance.

It's nice to see you all, I'll go back to hibernate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.