Automated Let’s Encrypt with Certbot for Apache Running on a Different Port

If you want to use Let’s Encrypt certificates with your Apache server, but you have changed the port for HTTPS to something else than 443, things get a bit tricky.

You can (obviously) go for the manual installation or use DNS auth if you can easily access your DNS server. But, if you have a very simple setup, like a server being behind a NAT and running on a different port, the standard way of using certbot no longer works.

I found the following setup to be working:

  • Set up a port forward for port 443 in your NAT. Since your server does not use this port, this will not do anything, yet.
  • Install certbot according to their tutorial
  • Now you would normally do
    $ ./path/to/certbot-auto --apache

    But this won’t work because you are using a different port.

  • Instead do a manual authentiation with
    ./certbot-auto certonly --standalone
  • Follow the instructions to obtain the certificate.
  • Next, you can install the certificate yourself, or be lazy and use certbot’s installer for apache. Since you want it only to do the install (and not the authentication again) you have to call it like this:
    ./certbot-auto install --apache --cert-path /etc/letsencrypt/live/<your-domain>/fullchain.pem --key-path /etc/letsencrypt/live/<your-domain>/privkey.pem --chain-path /etc/letsencrypt/live/<your-domain>/fullchain.pem -d <your-domain>
  • Adapt the paths accordingly to what the –standalone run of certbot told you.