renewal - could not start HTTPS server for challenge: listen tcp :443: bind: address already in use

[tacoma50]

I am trying to renew a cert without stopping the httpd webserver first. This is the command I am using:

/opt/bitnami/letsencrypt/lego --tls --email="[email protected]"  --domains="dev1.xyz.com" --path="/opt/bitnami/letsencrypt" --http renew --days 90 

The command above works just fine if I stop the http server before issuing the cmd. But if I don't stop the http server, I see the error: "could not start HTTPS server for challenge: listen tcp :443: bind: address already in use"

How can I tell lego to not try to start the http server because it's already running?

Here is the full output:

/opt/bitnami/letsencrypt/lego --tls --email="[email protected]"  --domains="dev1.xyz.com" --path="/opt/bitnami/letsencrypt" --http renew --days 90 
Command returned: 2025/01/08 22:03:34 [INFO] [dev1.xyz.com] acme: Trying renewal with 834 hours remaining
2025/01/08 22:03:34 [INFO] renewal: random delay of 1m24.699347409s
2025/01/08 22:04:58 [INFO] [dev1.xyz.com] acme: Obtaining bundled SAN certificate
2025/01/08 22:04:59 [INFO] [dev1.xyz.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/17xxxxx/45xxxxxx
2025/01/08 22:04:59 [INFO] [dev1.xyz.com] acme: use tls-alpn-01 solver
2025/01/08 22:04:59 [INFO] [dev1.xyz.com] acme: Trying to solve TLS-ALPN-01
2025/01/08 22:04:59 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/17xxxxx/45xxxxx
2025/01/08 22:04:59 error: one or more domains had a problem:
[dev1.xyz.com] [dev1.xyz.com] acme: error presenting token: could not start HTTPS server for challenge: listen tcp :443: bind: address already in use

[ldez]

Hi,

The TLS challenge starts a server on the 443.
This is a requirement for this challenge.

So if you have something that already uses (binds) port 443, the lego server used for this challenge cannot start.

Is it your choice to use TLS challenge? Do you have some constraints?

[tacoma50]

Hi ldez,
Thank you for that explanation. I was only using the HTTP challenge because that was one of the examples given. 
Now I understand that with the --http option, lego needs to temporarily start its own http server in order to handle the challenge.... so of course lego's http server conflicts with my http server that is running on port 443 and 80. This explains why my renewal works when I stop my http server before I issue the renewal command.

So how can I renew my cert if I want to keep my http server running? My DNS provider is hover.com

My goal is to automatically run the renewal command from cron without the need for human intervention.

[ldez]

Sadly hover.com is not supported for the DNS challenge because there is no API #1255

What is your web server?

[tacoma50]

$ /opt/bitnami/apache/bin/httpd -v
Server version: Apache/2.4.62 (Unix)
Server built:   Sep  3 2024 14:26:49

[ldez]

Sorry, I misread your command, you are not using the HTTP challenge --http but the TLS challenge --tls but the problem is the same.

The TLS challenge --tls uses port 443.
The HTTP challenge--http uses port 80.

I think your web server is running in ports 443 and 80.
The 2 types of challenges will cause a port binding problem.

But if your web server doesn't run on port 80, you can use the following command (but I think it will not work):

/opt/bitnami/letsencrypt/lego --email="[email protected]" --domains="dev1.xyz.com" --path="/opt/bitnami/letsencrypt" --http renew --days 90

If the previous command doesn't work, you can use your web server to handle the HTTP challenge.

/opt/bitnami/letsencrypt/lego --email="[email protected]" --domains="dev1.xyz.com" --path="/opt/bitnami/letsencrypt" --http --http.webroot="<path_to_the_root_of_your_server>" renew --days 90

<path_to_the_root_of_your_server> is the path to the root of the web server (ex /var/www/html/)

Example:

/opt/bitnami/letsencrypt/lego --email="[email protected]" --domains="dev1.xyz.com" --path="/opt/bitnami/letsencrypt" --http --http.webroot="/var/www/html/" renew --days 90

https://go-acme.github.io/lego/usage/cli/obtain-a-certificate/index.html#using-an-existing-running-web-server

[tacoma50]

Hi
Using the --http.webroot option was the solution.
Thank you for all the help!

[ldez]

I hope you enjoyed my work, please consider donating.
This will be appreciated, thank you ❤️

https://github.com/sponsors/ldez