Score:0

Server

Setting up SSL for custom port in nginx - letsencrypt

Typewar

12/1/22, 4:40 AM

I'm trying to enable SSL on a custom port (not 443), running a webpage. From searching around, I couldn't find much info that helped.

The server has unchangable ports, external: 26143, Internal: 80.

To enter the server (without SSL) you would type example.com:26143, and the system would see this as a connection to port 80.

How would I set up a certificate (lets encrypt) to enable SSL on this port?

From testing, it seems like whatever I do, it only accesses the server on port 80, even if I set it to 26143

here is the nginx sites-enabled config:

server {
    listen 80;
    listen [::]:80;

    root /root/html;

    index index.php;
    server_name _;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
    
        # With php-fpm (or other unix sockets):
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }

    location /.well-known {
        root /var/www/ssl/example.com/;
    }
}

Commands I've tried are:

certbot --nginx -d example.com:26143
certbot certonly --standalone --preferred-challanges http -d example.com:26143
certbot certonly --standalone --preferred-challenges http -d example.com
certbot certonly --standalone --preferred-challenges http --http-01-port 26143 -d example.com
certbot certonly --nginx --preferred-challenges http --http-01-port 26143 -d example.com
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d example.com -m [email protected] --webroot -w /root/html
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d example.com:26143 -m [email protected] --webroot -w /root/html
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d example.com --http-01-port 26143 -m [email protected] --webroot -w /root/html
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d example.com --preferred-challenges http --http-01-port 26143 -m [email protected] --webroot -w /root/html

Some tweaking back and fourth, most common error I got was this:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from
   https://example.com/.well-known/acme-challenge/ho73up1dR3KU4V37awccOw2T5xsSILWUM365ZnwVEN4
   [159.81.xxx.xxx]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

The 404 is Not from my system, it's from example.com:80, instead of example.com:26143. Also, I do not have access to modifying the DNS records.

In my experience, lets encrypt and SSL has been kind of confusing, and together with the rate limits, I'm not able to troubleshoot enough to understand.

I know it should be possible, I just don't know how and/or what I'm doing wrong.

Any help would be appreciated

657

1 + 2

ssl

nginx

lets-encrypt

digijay

12/1/22, 7:06 AM

There seems to occur a redirect, because instead of the acme-challenge LE gets a html document with a 404 message. Also, IIRC LE only supports ports 80 and 443 (https://serverfault.com/a/805681)

NiKiZe

12/1/22, 4:44 PM

Port 443 is not relevant, only port 80, since there is where the acme challenge needs to be.

Score:1

Server

NiKiZe

12/1/22, 6:42 AM

Let's encrypt http-01 challenges requires port 80 to exchange validation data. The https server is never used. Port 80 is a hard requirement. If that is not an option, then DNS is the only other way.

There is testservers that you should use until you have the setup correct (less rate limit, or maybe even no limit), first after that you switch to the production servers.

0 + 3

Typewar

12/1/22, 8:37 AM

Thank you for the explanation! In this case, for this situation, I guess I can use a off-site proxy connected to the server in order to use port 80. But that would probably only work for the proxy's hostname / domain, not the origin.

Typewar

12/1/22, 9:06 AM

Looking further into the issue, it seems like what I'm asking is not possible as of now. https://github.com/certbot/certbot/issues/2697

NiKiZe

12/1/22, 9:12 AM

As I wrote in the answer, you need to have port 80 open and add the challenge response on that http server. Which port you use after that is not relevant.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Setting up SSL for custom port in nginx - letsencrypt

TH: การตั้งค่า SSL สำหรับพอร์ตที่กำหนดเองใน nginx - letsencrypt

RO: Configurarea SSL pentru portul personalizat în nginx - letsencrypt

RU: Настройка SSL для пользовательского порта в nginx - letsencrypt

VI: Thiết lập SSL cho cổng tùy chỉnh trong nginx - letsencrypt

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.