How do you set up Let's Encrypt SSL certificates for additional ports in Apache?

Question

I would like to find out how to set up Let's Encrypt on an Apache2 web server on ports that are not 443. In the past, I have been successful in the past using CertBot to automatically set up port 443. However, I would like to find out a way to use Let's Encrypt to set up SSL on ports such as 99 or 8080, for example.

Since there is no easy way to set up certificates on non default ports using Let's Encrypt Certbot, how would I go about manually setting up Let's Encrypt certificates on non default ports?

"I don't even know what I'm trying to do": and yet you say it's simple! — George Udosen, Aug 29 '17 at 05:40
I know but don't beat yourself up it happens to all of us and no situation is ever so simple, if it were we won't learn a thing :) — George Udosen, Aug 29 '17 at 05:49
By the way, Debian is off-topic here. @George, should we flag the question? — pa4080, Aug 29 '17 at 07:25

George Udosen · Answer 1 · 2017-08-29T06:39:30.753

You make modifications in apache's /etc/apache2/ports.conf to inform apache to listen on these different ports:

Listen 8080
<IfModule ssl_module>            
        Listen 446
</IfModule>

The steps would be:

Create your SSL certificates:

Make directory to add certificates:
```
mkdir -p /etc/apache2/ssl/example.com
```

Create a self signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/example.com/apache.key –out /etc/apache2/ssl/example.com/apache.crt

Enable the ssl module with: sudo a2enmod ssl

Make entries in your Virtualhost files ( called example.conf ), with sudo nano /etc/apache2/sites-available/example.conf

<VirtualHost *:8080>
    ServerAdmin webmaster@localhost
    ServerName example.com
    DocumentRoot /var/www/html

</VirtualHost>


<IfModule mod_ssl.c>
<VirtualHost *:446>

    ServerAdmin webmaster@localhost
    ServerName example.com
    DocumentRoot /var/www/html

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   A self-signed (snakeoil) certificate can be created by installing
    #   the ssl-cert package. See
    #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
    #   If both key and certificate are stored in the same file, only the
    #   SSLCertificateFile directive is needed.
    SSLCertificateFile /etc/apache2/ssl/example.com/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/example.com/apache.key
</VirtualHost>

</IfModule>

Tell apache to listen in the new ports by adding the ports to /etc/apache2/ports.conf file:
```
Listen 8080
<IfModule ssl_module>            
    Listen 446
</IfModule>

<IfModule mod_gnutls.c>
    Listen 446
</IfModule>
```
- This tells apache to listen for SSL traffic on port 446 as against 443
Enable the config files:
```
sudo a2ensite example
```
Restart apache:
```
sudo systemctl restart apache2
```

Do you know how to do the same for web applications already using these ports? — Dan Vu, Aug 29 '17 at 17:13
Refer to their individual config files to change the listening ports then add it to the apache config files — George Udosen, Aug 30 '17 at 05:50

pa4080 · Answer 2 · 2017-08-29T19:38:42.920

First you should read these answers:

Based on the above answers the steps are:

Create a new VirtualHost configuration file, dedicated to your additional port. Let's assume this is port 99, and the configuration file name is https-99.conf:

sudo nano /etc/apache2/sites-available/https-99.conf

The content of https-99.conf should look like this:

<IfModule mod_ssl.c>

Listen 99

<VirtualHost *:99>

        ServerName www.example.com

        DocumentRoot /var/www/html-99

        <Directory /var/www/html-99>
                Options None FollowSymLinks
                AllowOverride None
                # To enable .htaccess Overrides: AllowOverride All
                DirectoryIndex index.html index.php
                Order allow,deny
                Allow from all
                Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/https-99.error.log
        CustomLog ${APACHE_LOG_DIR}/https-99.access.log combined

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem

</VirtualHost>

</IfModule>

Copy the above content and in nano use: Shift+Insert for paste; Ctrl+O and Enter for save; Ctrl+X for exit.

Enable the configuration file:
```
sudo a2ensite https-99.conf
```

Generate Let's Encrypt certificate files:

sudo letsencrypt --apache certonly --rsa-key-size 4096 --email email@example.com -d www.example.com

Where email@example.com and www.example.com must be real.

Open port 99 into the firewall:
- If you use UFW you can do that by this command: sudo ufw allow 99/tcp
- If you use IPTables: sudo iptables -A INPUT -p tcp -m tcp --dport 99 -j ACCEPT
Create the DocumentRoot directory:
```
sudo mkdir /var/www/html-99
```

Put some simple content in the DocumentRoot directory:

echo 'Hello!!!' | sudo tee /var/www/html-99/index.html

Reload Apache's configuration:
- Ubuntu 14.04: sudo service apache2 reload
- Ubuntu 16.04: sudo systemctl reload apache2.service
Try to open https://www.example.com:99 via the browser. The result should be:

letsencrypt / python-letsencrypt-apache is available for Ubuntu 16.04 and above, for the previous versions there is certbot which is almost the same. From Ubuntu Manuals. Sert — pa4080, Aug 29 '17 at 19:48

How do you set up Let's Encrypt SSL certificates for additional ports in Apache?

2 Answers2

Linked