26

I want to set up certbot for a webserver on a different port than 443. I got the following error when running

certbot --apache -d <sub>.<domain>.<ext>

Failed authorization procedure. sub.domain.ext (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to external_ip:443 for TLS-SNI-01 challenge

After this error I've read the man pages, where I found this:

--tls-sni-01-port TLS_SNI_01_PORT Port number to perform tls-sni-01 challenge. Boulder in testing mode defaults to 5001. (default: 443)

Then I tried the following to correct this error:

certbot --apache --tls-sni-01-port 14831 -d <sub>.<domain>.<ext>

After adding the tls-sni-01-port, I got the same error.

Is it possible to install a certificate with a different port, or am I doing something wrong?

CaptainJack
  • 363

4 Answers4

17

According to: https://community.letsencrypt.org/t/how-to-specify-a-port-different-from-443-for-the-dvsni-challenge/12753/4

This is not possible with certbot. You should take a look at the other implementation method here: https://community.letsencrypt.org/t/list-of-client-implementations/2103

Orphans
  • 1,474
10

if the case it's similar to my servers at a site, in which I have the public ip ports 80 and 443 forwarded to the private ip ports 8080 and 8443, you can do it this way: certbot certonly --manual

that will ask you to make available a hash in a particular URL, easily accomplished by creating a file in your root webserver directory with the requested contents, i.e http://your.site.com/178412ufhjakjkaslkasflalifalafllkdflkjf and the challenge being adsjaskldlkajsdlkasdlakjsldjalskdasdada

so you create /var/www/html/178412ufhjakjkaslkasflalifalafllkdflkjf, and its contents should be adsjaskldlkajsdlkasdlakjsldjalskdasdada

hope it helps

Fernando Chmielewsky
  • 101
3

I was believing that tls-sni is still possible, but based on the incident found, letsencrypt is advising people not to use tls-sni until future notice, for example the upcoming tls-sni-03 spec with challenges.

Michael
  • 131
0

I had this problem. What I did was to let the https traffic come in to port 443 as normal on my main server and then redirect relevant URLs internally (perhaps all of them) to the new port of a second web server process, which is the one you care about in this case. I use certbot for the externally facing server, which hence allows https access.

I am using nginx for the main outward facing server. In my default file in sites-enabled I first add something like

upstream internalserverid {
  keepalive 32; # keepalive connections
  server 127.0.0.1:3000; # non-standard port for the second server
}

Then in I have a location block on the main server that starts like this, where pattern are the URLs you want to redirect, but just use / if you want to redirect them all.

  location /pattern {
    sendfile off;
    proxy_pass         http://internalserverid;
    proxy_redirect     default;
    proxy_http_version 1.1;
    ...

This will work when your internal server can use http.

Timothy C. Lethbridge
  • 101