I run a webserver only on port 30333 and I always get the follwing error message: Unable to find a virtual host listening on port 30333 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 40443.
I have configured a VirtualHost here in /etc/apache2/sites-enabled/ssl.conf: <VirtualHost 0.0.0.0:30333>
_ ServerName tmtest.de_
_ SSLEngine on_
_ # Hardening_
_ SSLProtocol TLSv1.2_
_ # Pfad zu den Webinhalten_
_ DocumentRoot /var/www/html/_
There are two other ways: tls-alpn-01, which runs on port 443 (it's not supported by Certbot at all), and dns-01, which requires you to create specific DNS TXT records in your DNS zone. For validation with the DNS method, you normally need to have a DNS provider API that lets you update DNS records from software.
sudo certbot --apache --preferred-challenges dns Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter ‘c’ to cancel): 1 Obtaining a new certificate Performing the following challenges: None of the preferred challenges are supported by the selected plugin
Hmm doesn´t work: Too many flags setting configurators/installers/authenticators ‘apache’ -> ‘manual’
I now just opened Port 80.
But sudo certbot --apache --http-01-port 40443 still response with the answer above (virtual host not found). I think we have another probleme here, or?
EDIT: I have no webserver running on port 443. On 443 there is an OpenVPN Server listening…
--manual is an alternative to --apache; you should replace --apache with --manual.
If you don't have a DNS provider API, this method isn't that great because it's truly "manual": you'll have to interactively repeat it every time you want to renew the certificate.
If you intend to allow the challenge on port 80, you shouldn't specify --http-01-port 40443. (The --http-01-port options doesn't let you choose the external port, which is required to be 80; it only lets you choose the internal port in case you have a firewall that forwards a port to a different port number, e.g. forwarding public port 80 to an internal host's port 8080 or something. So the only reason to use --http-01-port 40443 is if you have a firewall forwarding the externally-visible port 80 to port 40443 of this host.)
If you want to use a Let's Encrypt certificate (once it's obtained) with a port other than 443, Certbot's automated installer might not be the right choice because it probably won't understand which virtual host is relevant or appropriate to create or edit. HTTPS on port 443 is a very strong default and also the only default that Certbot understands when trying to install the certificate for you. There are certainly reasons to run HTTPS on other ports, but Certbot won't normally understand when you're trying to do this; in this case you can run certbot certonly and then edit your web server configuration manually after the certificate issuance succeeds.