25

I want to set up certbot for a webserver on a different port than 443. I got the following error when running

certbot --apache -d <sub>.<domain>.<ext>

Failed authorization procedure. sub.domain.ext (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to external_ip:443 for TLS-SNI-01 challenge

After this error I've read the man pages, where I found this:

--tls-sni-01-port TLS_SNI_01_PORT Port number to perform tls-sni-01 challenge. Boulder in testing mode defaults to 5001. (default: 443)

Then I tried the following to correct this error:

certbot --apache --tls-sni-01-port 14831 -d <sub>.<domain>.<ext>

After adding the tls-sni-01-port, I got the same error.

Is it possible to install a certificate with a different port, or am I doing something wrong?

CaptainJack
  • 353
  • 1
  • 3
  • 5

3 Answers3

15

According to: https://community.letsencrypt.org/t/how-to-specify-a-port-different-from-443-for-the-dvsni-challenge/12753/4

This is not possible with certbot. You should take a look at the other implementation method here: https://community.letsencrypt.org/t/list-of-client-implementations/2103

Orphans
  • 1,404
  • 17
  • 26
  • 3
    Certbots FAQ seems to say otherwise? https://certbot.eff.org/faq/#can-i-issue-a-certificate-if-my-webserver-doesn-t-listen-on-port-80 – Douglas Gaskell Sep 26 '17 at 01:58
  • @DouglasGaskell The FAQ has changed since this answer was posted. But that does not change the answer actually. There is no way to issue an LE certificate on another ports then 80 or 443 according to the FAQ – Orphans Sep 26 '17 at 11:24
  • I see. However, it's good to note that you can use the DNS TXT record instead with certbot. I just did this last night. – Douglas Gaskell Sep 26 '17 at 16:54
  • You are correct, you are more then welcome to edit this answer with that information! @DouglasGaskell – Orphans Sep 27 '17 at 07:14
  • @DouglasGaskell would you please contribute your answer (step by step) to community? I'd like to see the implementation too.. – T.Todua Nov 06 '20 at 09:56
  • @T.Todua you can find it by searching for Certbot DNS-validation – Orphans Nov 10 '20 at 07:14
9

if the case it's similar to my servers at a site, in which I have the public ip ports 80 and 443 forwarded to the private ip ports 8080 and 8443, you can do it this way: certbot certonly --manual

that will ask you to make available a hash in a particular URL, easily accomplished by creating a file in your root webserver directory with the requested contents, i.e http://your.site.com/178412ufhjakjkaslkasflalifalafllkdflkjf and the challenge being adsjaskldlkajsdlkasdlakjsldjalskdasdada

so you create /var/www/html/178412ufhjakjkaslkasflalifalafllkdflkjf, and its contents should be adsjaskldlkajsdlkasdlakjsldjalskdasdada

hope it helps

Fernando Chmielewsky
  • 91
  • 1
  • 1
3

I was believing that tls-sni is still possible, but based on the incident found, letsencrypt is advising people not to use tls-sni until future notice, for example the upcoming tls-sni-03 spec with challenges.

Michael
  • 31
  • 2