Trying to encrypt traffic on a small home based webserver


#1

My home connection blocks port 80 and 443. I’ve set the apache server to listen on 81, but I don’t know how to make letsencrypt listen on a port other than 443.

I ran this command: sudo letsencrypt --apache

It produced this output:Failed authorization procedure. somedomain.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge

My domain is: a domain I’d rather not share

My operating system is (include version): Ubuntu Server 16.04

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2016-04-15T18:00:57

My hosting provider, if applicable, is: Home Internet connection

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Is there a way around this? Also, the IP address is dynamic so I’m using a Dynamic DNS service provided by Dynu to keep DNS up to date. Any tips in the right direction greatly appreciated!


#2

The HTTP-01 and TLS-SNI-01 challenge types require access to either port 80 or 443.

There’s another challenge type, DNS-01, that works via DNS. Basically, you have to create a TXT record for the domains you’re trying to get a certificate for. Certbot does not currently support this, but a number of other clients such as lego do.

This would require that your dynamic DNS provider allows you to create TXT records through some kind of API. As an alternative, you could use a regular domain with a CNAME record pointing to your dynamic DNS hostname. If you’re looking for free options, take a look at www.dot.tk and CloudFlare (they can be used as a DNS-only provider, and they have an API for pushing TXT records, supported by lego).


#3

Ugh, that sounds a bit over my head. But I shall try anyways! Thank you.


#4

For dynamic DNS I’d stick with the normal verification methods. An A/AAAA record should be all you need.


#5

I’m using a self signed cert. That seems to be working.

How would I do with an A/AAAA record?


#6

To clarify, the “normal” verification methods (HTTP-01 and TLS-SNI-01) still require network access to port 80 or 443. If those are indeed blocked by your ISP, you’ll need to use DNS-01 as described earlier.

If you need any help with that, feel free to ask! :wink:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.