On Sun, 2023-04-23 at 06:47 +0930, Tim via users wrote:
On Sat, 2023-04-22 at 18:45 +0100, Patrick O'Callaghan wrote:
> My understanding is that it needs port 80 for the initial token
> negotiation to get the certificate to set up HTTPS. Requiring port
> 443
> would be a circular dependency.
[...]
And, testing that: If I disable all port 80 connections, I can
connect
to my webserver using HTTPS over port 443.
Their error message seems to indicate that *it* wants a connection
response from the webserver on port 80 with your site's domain name
in
the response headers (to prove you own the site). This seems to be a
bizarre requirement. Possibly the cert checker needs programming
better, rather than Apache needing something done to it.
That's entirely possible of course.
Nor should you really have to have a virtual host. You could be a
webserver that you own totally and it only serves your website. It
seems some oddball demands from the cert checker.
I do agree with that. I think it's a specific limitation of Certbot
itself, which (from discussions on the LetsEncrypt site) actually
messes with your Apache config while it's doing its testing. Other
implementations of the ACME protocol don't seem to require this, but
I'm just guessing.
poc