3

I've found many similar questions, people asking about how-to setup SSL on different ports (other than 80/443), i.e. 1234 port. However, all answers were like use redirection or proxying requests or dns-validation (instead of http) or use alternative approaches. However, nowhere you can find even a single answer in StackExchange manner, I mean step-by-step for newbie, how to do that.

However, note, redirection is not solution, because on 80/443 a person might have a regular website, but on 1234 port a completely different app. So, just "redirection" from 1234 to 80 will mess-up sites, right?

T.Todua
  • 204
  • 4
  • 14
  • This one https://serverfault.com/questions/805666/certbot-letsencrypt-on-different-port-than-443 is manual (hand-made) solution, which is not convenient. – T.Todua Dec 31 '21 at 18:48

2 Answers2

4

It's perfectly fine to have Nginx on port 80 merely for HTTP-01 challenge and then use the certificates created using it on another web applications or even another server software altogether. It doesn't need to perform any reverse proxying in order to serve the http://example.com/.well-known/acme-challenge/, e.g.

server {
   listen 80;
   server_name example.com;

   location /.well-known/acme-challenge/ {
       alias /var/www/letsencrypt/.well-known/acme-challenge/;
   }
   location / {
       return 404;
   }
}

Furthermore, you don't necessarily need a web server listening on port 80 at all, as Certbot can use its own built-in web server for handling the challenges:

sudo certbot certonly --standalone --preferred-challenges http -d example.com
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • The port `1234` is used in whichever application is used to serve the website. – Tero Kilkanen Nov 06 '20 at 23:30
  • You only need port 80 at the time the certificate is issued, usually once every 2 months per certificate. After that you can use the certificate everywhere you want. Think of using the certificate for an email server (SMTP&IMAP) which can't even answer HTTP challenge, as it's not talking the HTTP protocol. Also, even with the port 80 you won't use it FOR that port, but for TLS on another port 443. – Esa Jokinen Nov 07 '20 at 12:40
  • Can you tell also for Apache? Thanks in advance. – T.Todua Mar 24 '21 at 18:55
0

To extend @Esa's nice answer, here is what exact steps I did for Apache:

  1. Generate the certificate as @Esa said.
  2. Go to /etc/apache2/ports.conf and change 80 or 443 to whatever port you want
  3. Also in /sites-available/example.com change the VirtualHost to desired port. Ensure, there are the commands for SSL file paths (resulted from the certbot installation)
  4. systemctl restart apache2

p.s. People who needs for WordPress, ensure that redirection doesn't redirect to old port. Before changing that in WP Dashboard>Settings, you can set this in `wp-config':

define('WP_SITEURL','https://example.com:1234/');
define('WP_HOME','https://example.com:1234/');
T.Todua
  • 204
  • 4
  • 14