Automated Let’s Encrypt with Certbot for Apache Running on a Different Port

If you want to use Let’s Encrypt certificates with your Apache server, but you have changed the port for HTTPS to something else than 443, things get a bit tricky.

You can (obviously) go for the manual installation or use DNS auth if you can easily access your DNS server. But, if you have a very simple setup, like a server being behind a NAT and running on a different port, the standard way of using certbot no longer works.

I found the following setup to be working:

  • Set up a port forward for port 443 in your NAT. Since your server does not use this port, this will not do anything, yet.
  • Install certbot according to their tutorial
  • Now you would normally do
    $ ./path/to/certbot-auto --apache

    But this won’t work because you are using a different port.

  • Instead do a manual authentiation with
    ./certbot-auto certonly --standalone
  • Follow the instructions to obtain the certificate.
  • Next, you can install the certificate yourself, or be lazy and use certbot’s installer for apache. Since you want it only to do the install (and not the authentication again) you have to call it like this:
    ./certbot-auto install --apache --cert-path /etc/letsencrypt/live/<your-domain>/fullchain.pem --key-path /etc/letsencrypt/live/<your-domain>/privkey.pem --chain-path /etc/letsencrypt/live/<your-domain>/fullchain.pem -d <your-domain>
  • Adapt the paths accordingly to what the –standalone run of certbot told you.

Comfortable search the arpwatch database

If you use arpwatch to track what is going on in your network you will eventually search for an IP or MAC address in the arp.dat file. Here is a simple bash script which gives a nicer output than just using grep and it also converts the unix timestamp to a more human friendly format:


cat /var/lib/arpwatch/arp.dat | grep $1 |  awk  '{$3=strftime("%Y-%m-%d %H:%M:%S", $3);printf "%-20s %-20s %s %s\n",$1,$2,$3,$4}'