Setting up SSL for custom port in nginx - letsencrypt

Question

I'm trying to enable SSL on a custom port (not 443), running a webpage. From searching around, I couldn't find much info that helped.

The server has unchangable ports, external: 26143, Internal: 80.

To enter the server (without SSL) you would type example.com:26143, and the system would see this as a connection to port 80.

How would I set up a certificate (lets encrypt) to enable SSL on this port?

---

From testing, it seems like whatever I do, it only accesses the server on port 80, even if I set it to 26143

here is the nginx sites-enabled config:

server {
    listen 80;
    listen [::]:80;

    root /root/html;

    index index.php;
    server_name _;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
    
        # With php-fpm (or other unix sockets):
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }

    location /.well-known {
        root /var/www/ssl/example.com/;
    }
}

Commands I've tried are:

certbot --nginx -d example.com:26143
certbot certonly --standalone --preferred-challanges http -d example.com:26143
certbot certonly --standalone --preferred-challenges http -d example.com
certbot certonly --standalone --preferred-challenges http --http-01-port 26143 -d example.com
certbot certonly --nginx --preferred-challenges http --http-01-port 26143 -d example.com
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d example.com -m my@mail.com --webroot -w /root/html
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d example.com:26143 -m my@mail.com --webroot -w /root/html
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d example.com --http-01-port 26143 -m my@mail.com --webroot -w /root/html
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d example.com --preferred-challenges http --http-01-port 26143 -m my@mail.com --webroot -w /root/html

Some tweaking back and fourth, most common error I got was this:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from
   https://example.com/.well-known/acme-challenge/ho73up1dR3KU4V37awccOw2T5xsSILWUM365ZnwVEN4
   [159.81.xxx.xxx]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

The 404 is Not from my system, it's from example.com:80, instead of example.com:26143. Also, I do not have access to modifying the DNS records.

---

In my experience, lets encrypt and SSL has been kind of confusing, and together with the rate limits, I'm not able to troubleshoot enough to understand.

I know it should be possible, I just don't know how and/or what I'm doing wrong.

Any help would be appreciated

Answer 1

Let's encrypt http-01 challenges requires port 80 to exchange validation data. The https server is never used. Port 80 is a hard requirement. If that is not an option, then DNS is the only other way.

There is testservers that you should use until you have the setup correct (less rate limit, or maybe even no limit), first after that you switch to the production servers.

Similar question: https://community.letsencrypt.org/t/port-4434-instead-of-443/61349