Use of "http-01-port" as flag (not during testing)

I’m using certbot standalone in docker. I would like to use --http-01-port.

When I specify http-01-port = 81 in the config file it works.

When I specify --http-01-port 81 as a command line flag, it errors:

certbot: error: unrecognized arguments: --http-01-port 81

The docs are confusing as it’s mentioned in the “testing” section:

The following flags are meant for testing and integration purposes only

…But I’ve seen this flag used in tutorials and StackOverflow and here - even when not testing.

So to summarize:

  • can I use it as a flag (or only in the config file)?
  • can I use it even when not testing?

Hi @lonix1,

Can you post the entire certbot line and which version of certbot you’re using please?

That’s all there is unfotunately. It’s run in docker, so docker logs certbot gives:

usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --http-01-port 80

I’m using version certbot/certbot:v0.38.0

Is it possible to use this option as a flag, and when not testing (i.e. staging server)?

Ok I see there is a new version, 0.39.0, let me try that first and see what it says…

Nope, docker logs certbot gives:

usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --http-01-port 80

Is it actually possible to use this option 1) as a flag, and 2) when not testing (i.e. not “staging”)?

Interesting, this is what I get while testing that flag.

$ sudo docker run -P certbot/certbot:v0.38.0 certonly --standalone --http-01-port 81 --register-unsafely-without-email --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Registering without email!
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): An unexpected error occurred:
IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
EOFError
Please see the logfiles in /var/log/letsencrypt for more details.

Interesting! Thanks for looking into it Phil!

But then I don’t understand how all those tutorials/etc manage to use this option??? Maybe something changed in the interim.

My workaround: it works for me, but only when I use it in the config file. And even when not testing.

I would prefer to use it as a flag, as then I can have more control in my workflow (scriptable) and less config files, but at least there’s a workaround.

Should I open an issue on github?

Do you have the same issue without using docker on certbot v0.38.0? I’m doubting that you will, but it’s worth checking. If you do have the same issue then at that point I’d open up a github issue.

It gets weirder - I took all the stuff from the config file and translated it to flags, so I run this:

docker run \
  -v certbot_data:/etc/letsencrypt/ \
  certbot/certbot:v0.38.0 \
  certonly \
  --standalone \
  --http-01-port 80 \
  --non-interactive \
  --rsa-key-size 4096 \
  --deploy-hook /etc/letsencrypt/foo/bar/baz.sh \
  --email me@example.com \
  --agree-tos \
  -d example.com -d www.example.com

And that works.

So the problem is the config file

  • When there is a config file, it doesn’t recognize the --http-01-port 80 flag
  • When there isn’t a config file it does recognize it

I would open a github issue with your findings. Nice research!

Thanks for confirming on your end. I opened an issue.

1 Like

Can you clarify which config file?

A renewal file in /etc/letsencrypt/renewal?

Or a file that you are passing to -c/--config (e.g. cli.ini)?

I’m a bit puzzled by @Phil_LE’s confirmation - it seems like it worked for him and he ^C’d the email prompt?

@_az I mean the certbot config file, typically in /etc/letsencrypt/cli.ini

When I have that then I can’t use the flag (I get the error above). But when I move all the config in the file to flags instead, then the --http-01-port flag works without error.

Thanks. Couldn’t reproduce, though :frowning: .

$ cat /tmp/certbot-config/cli.ini
http-01-port = 1234

$ sudo docker run -v /tmp/certbot-config:/etc/letsencrypt --rm -it certbot/certbot:v0.38.0 \
-c /etc/letsencrypt/cli.ini certonly --standalone --http-01-port 4321 \
-d example.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Challenge failed for domain example.com
http-01 challenge for example.com
Cleaning up challenges
Some challenges have failed.
1 Like

@az I had a lot more than one config option in the config file. I’ll play around with it some more to track down the issue.

Thanks for trying to repro on your end, it helps.

Awesome. There are a few bugs in the ConfigArgParse library that Certbot uses (and that ultimately produces this error), so an exact way to reproduce would be a great thing to add to that issue.

@Phil_LE, @_az

I’ve tried many different ways, and can’t find an exact cause.

Since you guys can’t repro, the only explanation is this is a docker config problem.

That said, I did end up answering my original question:

  • yes the option can be used as a flag or in the config file
  • yes it can be used not just during testing (so the docs are incorrect)

I’m going to close that github issue. Thanks for assisting!

2 Likes

Just one last question - are you driving Docker using an API, perhaps?

Because how you split the CLI arguments tends to matter. If you pass in --http-01-port 8081 as a single string in the cmd array, then it will error like you describe.

The shell equivalent of doing so is by wrapping that part in quotes:

$ sudo docker run -v /tmp/certbot-config:/etc/letsencrypt --rm certbot/certbot:v0.31.0 \
certonly --standalone "--http-01-port 4321" \
-d example.com --dry-run
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --http-01-port 4321

No it turns out (I think at least) that it’s a yaml thing - docker-compose.yml file’s command was:

command:
  - certonly
  - --http-01-port=4321        # <------- gnu style option needs equals
  - --foo
  - --bar
  - -baz
  - -d example.com             # <------- unix style option needs space

This is not typically done, so there’s no docker docs on it, but it’s valid yml. It’s better to do it this way to keep it neat, commentable for each line, and easily modifiable via ansible. But then you need to know this quirk of yml which is that the long-form argument must use an = and doesn’t require escaping!

Thanks again and sorry for the false positive! :cry:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.