80 port NAT redirected

Hi,

I have 2 IIS servers on my network that I expose using NAT. So I have one that redirects my domain name from a public port 80 address to server A and Server B redirected to port 80 from a public port of 8080.

So server A is working well and certificates are renewing. The issue is server B, How can I get Certify to call the public port 8080 when applying the cert?

Thanks
Ian

You cannot avoid using port 80.

Certify is not making the challenge, Let’s Encrypt is and it requires the initial challenge to happen on port 80. Whatever server responds to port 80 can redirect the challenge response to other ports (like 443 on an already HTTPS server), but you cannot change where Let’s Encrypt will challenge first.

Perhaps the port 80 server can read the Host: header of the HTTP request and redirect to port 8080 when the domain belongs to the other server.

You may need the URL Rewrite module to be installed. Then make a rule checking {HTTP_HOST} against your domain name and if it matches, redirect to the new URL constructed from {HTTP_HOST}:8080 and {REQUEST_URI}. Let’s Encrypt will then resend the challenge to that redirect and hopefully complete.

As a side note… it sort of sounds like you should be using a load balancer or reverse proxy to direct port 80 traffic to each server to avoid using non-standard ports like 8080 or whatever you’re using for HTTPS x2.

Other options include:

• Use DNS challenge instead of http, then you don’t need to have port 80 ( or any other port) open at all, just public DNS using one of the supported APIs, or use acme-dns.
• Move your domain to a service such as cloudflare then you can either have them provision a certificate for you (with their proxying enabled) or use the DNS challenge api as normal in Certify

I had the same problem, ended up sharing the “well-known” folder from “server A” to “server B”.
This is because let’s encrypt always looks for the file through port 80.