Unable to find a virtual host

Hi,

I run a webserver only on port 30333 and I always get the follwing error message:
Unable to find a virtual host listening on port 30333 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 40443.

I have configured a VirtualHost here in /etc/apache2/sites-enabled/ssl.conf:
<VirtualHost 0.0.0.0:30333>
_ ServerName tmtest.de_

_ SSLEngine on_

_ # Hardening_
_ SSLProtocol TLSv1.2_

_ # Pfad zu den Webinhalten_
_ DocumentRoot /var/www/html/_

Anyone an idea why I get the error? Thanks

Hi @brotinger

do you want a certificate with that domain name? The domain name isn't registered ( https://check-your-website.server-daten.de/?q=tmtest.de ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
tmtest.de Name Error yes 1 0
www.tmtest.de Name Error yes 1 0

So you can't create a certificate with that domain name.

PS: Use

<VirtualHost *:30333>

but that doesn't work with a not existing domain name.

And your webserver must have an open port 80 if you want to use http-01 validation.

Yes, the domain name existing is definitely another thing that's needed in order to prove to the CA that you control it! :slight_smile:

Hi and thanks for the wuick response.

The domain I was mentioned is not the real domain, but the domain that I want a certificate for does exist.

I don´t want to open port 80. Is that really naccacery or is there another way than “http-01” validation?

There are two other ways: tls-alpn-01, which runs on port 443 (it's not supported by Certbot at all), and dns-01, which requires you to create specific DNS TXT records in your DNS zone. For validation with the DNS method, you normally need to have a DNS provider API that lets you update DNS records from software.

I can change the DNS TXT records. But which value do I need to create?
With this method it is possible with only the open TLS Port 30333?

Run certbot with

--preferred-challenges dns

Dns-validation requires a TXT entry _acme-challenge.yourdomainname. So you don't need an A/AAAA record, a running webserver or an open port 80.

But certificates are only 90 days valide. You have to do that every 60 - 85 days.

PS: http-01 validation allows to create a redirect http -> https, so http sends only redirects.

Thanks! Now I get:

sudo certbot --apache --preferred-challenges dns
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin

Add --manual

https://certbot.eff.org/docs/using.html

Hmm doesn´t work:
Too many flags setting configurators/installers/authenticators ‘apache’ -> ‘manual’

I now just opened Port 80.
But sudo certbot --apache --http-01-port 40443 still response with the answer above (virtual host not found). I think we have another probleme here, or?

EDIT: I have no webserver running on port 443. On 443 there is an OpenVPN Server listening…

--manual is an alternative to --apache; you should replace --apache with --manual.

If you don't have a DNS provider API, this method isn't that great because it's truly "manual": you'll have to interactively repeat it every time you want to renew the certificate.

If you intend to allow the challenge on port 80, you shouldn't specify --http-01-port 40443. :slight_smile: (The --http-01-port options doesn't let you choose the external port, which is required to be 80; it only lets you choose the internal port in case you have a firewall that forwards a port to a different port number, e.g. forwarding public port 80 to an internal host's port 8080 or something. So the only reason to use --http-01-port 40443 is if you have a firewall forwarding the externally-visible port 80 to port 40443 of this host.)

If you want to use a Let's Encrypt certificate (once it's obtained) with a port other than 443, Certbot's automated installer might not be the right choice because it probably won't understand which virtual host is relevant or appropriate to create or edit. HTTPS on port 443 is a very strong default and also the only default that Certbot understands when trying to install the certificate for you. There are certainly reasons to run HTTPS on other ports, but Certbot won't normally understand when you're trying to do this; in this case you can run certbot certonly and then edit your web server configuration manually after the certificate issuance succeeds.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.