Standalone http-01 challenge worked on port 8080 in past, but now it does not work


#1

Hello,

year ago, I configured my nginx reverse proxy to pass all requests on port 8080 to docker container running certbot in standalone mode and configured to listen on port 8080. Until “now” (don’t know exact date when it happened), it worked well, but now it does not work and documentation says, that for http-01 challenge I need to use port 80 only (in past, I swear, it wasn’t). Could you please confirm my finding and provide me with some more info about that change (why, when, etc.)?

Thank you in advance

P.S.: I really dislike changes like that (same when certbot changed renewal mechanism, so I can’t obtain new cert by renew using modified renew conf file), so I am asking, if it is possible to signup some info mailing list or something like that?


#2

Hi @happymaster23,

I’ve been working on this project since 2012 and I can assure you that it was never possible to get a certificate via validation to port 8080! The HTTP-01 challenge has always required the use of port 80.

Here, you can see people in 2015 complaining about this policy

and here in 2016

I wrote in some detail about this at

Hopefully this will be persuasive evidence that validation to port 8080 has never been permitted!

Anyway, perhaps your setup had some kind of firewall rule or Docker portmap forwarding port 80 to port 8080? Or perhaps your client was actually using a different challenge type, such as TLS-SNI-01 (on port 443)?


#3

Thank you for you reply,

you looks like a man who know what is talking about :-), so there must be some different explanation.

In my nginx conf, there is just one server section listening on port 8080 with just one location (set precisely to path where challenge file is) that is passing everything to container running certbot. So it is not possible, that challenge which arrives on port 80 is processed by that server listening on port 8080.

So, explanation could only be, that I was using tls-sni-01 (and don’t know about that) and something changed with that (maybe new version of certbot is using tls-sni-02?). My nginx proxy is configured with letsencrypt issued certs to reply on standard port 443, but this port is in no way routed to certbot container. Is it possible, that tls-sni-01 was happy enough when it see old (valid) cert for certain domain and issued new one? Because this is only possible explanation I could imagine. Something must change…


#4

I don’t see any possible explanation. But maybe you have some logs in /var/log/letsencrypt inside the container that will show particular challenges passing and then failing?


#5

Unfortunately, I don’t have historic logs that shows, how it worked in past. Recent looks like, that http-01 is reguested, than is fallback to tls-sni-01 and everything ends with error. In my renew config I have just installer set to none, authenticator set to standalone and http01_port set to 8080.

However, I found some evidence, that with renew (only, not when requesting new cert) it worked in past. See https://github.com/certbot/certbot/issues/2697#issuecomment-245575800


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.