I want to set up certbot for a webserver on a different port than 443. I got the following error when running
certbot --apache -d <sub>.<domain>.<ext>
Failed authorization procedure. sub.domain.ext (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to external_ip:443 for TLS-SNI-01 challenge
After this error I've read the man pages, where I found this:
--tls-sni-01-port TLS_SNI_01_PORT Port number to perform tls-sni-01 challenge. Boulder in testing mode defaults to 5001. (default: 443)
Then I tried the following to correct this error:
certbot --apache --tls-sni-01-port 14831 -d <sub>.<domain>.<ext>
After adding the tls-sni-01-port, I got the same error.
Is it possible to install a certificate with a different port, or am I doing something wrong?
According to: https://community.letsencrypt.org/t/how-to-specify-a-port-different-from-443-for-the-dvsni-challenge/12753/4
This is not possible with certbot. You should take a look at the other implementation method here: https://community.letsencrypt.org/t/list-of-client-implementations/2103
if the case it's similar to my servers at a site, in which I have the public ip ports 80 and 443 forwarded to the private ip ports 8080 and 8443, you can do it this way: certbot certonly --manual
that will ask you to make available a hash in a particular URL, easily accomplished by creating a file in your root webserver directory with the requested contents, i.e http://your.site.com/178412ufhjakjkaslkasflalifalafllkdflkjf and the challenge being adsjaskldlkajsdlkasdlakjsldjalskdasdada
so you create /var/www/html/178412ufhjakjkaslkasflalifalafllkdflkjf, and its contents should be adsjaskldlkajsdlkasdlakjsldjalskdasdada
hope it helps
I was believing that
tls-sniis still possible, but based on the incident found, letsencrypt is advising people not to usetls-sniuntil future notice, for example the upcomingtls-sni-03spec with challenges.