port 80 in use for another 24/7 running adapter

[Diginix]

How do I have to setup acme if port 80 is only open in router (port forwarding) for the moment I will renew the letsencrypt cert every 3 months. The rest of the time port 80 has a forwarding rule for another device at home (nothing in iobroker context).

Furthermore the plenticore adapter has a setting to retrieve data from photovoltaic inverter (local IP:80). This seams to be another issue for acme adapter.

I can't change the port in plenticore settings because the device delivers its data only over this port.

acme Log:

2023-03-23 07:53:09.366 - info: acme.0 (904308) starting. Version 0.0.2 (non-npm: iobroker-community-adapters/ioBroker.acme#881ca8139141522a885d60073ae14d7cb3ef1bab) in /opt/iobroker/node_modules/iobroker.acme, node: v16.19.1, js-controller: 4.0.24
2023-03-23 07:53:09.396 - error: acme.0 (904308) Failed to initiate any challenges
2023-03-23 07:53:09.436 - info: acme.0 (904308) Terminated (ADAPTER_REQUESTED_TERMINATION): Processing complete
2023-03-23 07:56:42.596 - info: acme.0 (904817) starting. Version 0.0.2 (non-npm: iobroker-community-adapters/ioBroker.acme#881ca8139141522a885d60073ae14d7cb3ef1bab) in /opt/iobroker/node_modules/iobroker.acme, node: v16.19.1, js-controller: 4.0.24
2023-03-23 07:56:43.825 - warn: acme.0 (904817) Saved account does not match maintainer email, will recreate.
2023-03-23 07:56:43.825 - info: acme.0 (904817) Registering new ACME account...
2023-03-23 07:56:44.926 - info: acme.0 (904817) Collection letsencrypt does not exist - will create
2023-03-23 07:56:45.559 - error: acme.0 (904817) uncaught exception: listen EADDRINUSE: address already in use 0.0.0.0:80
2023-03-23 07:56:45.561 - error: acme.0 (904817) Error: listen EADDRINUSE: address already in use 0.0.0.0:80
at Server.setupListenHandle [as _listen2] (node:net:1463:16)
at listenInCluster (node:net:1511:12)
at doListen (node:net:1660:7)
at processTicksAndRejections (node:internal/process/task_queues:84:21)
2023-03-23 07:56:45.561 - error: acme.0 (904817) Exception-Code: EADDRINUSE: listen EADDRINUSE: address already in use 0.0.0.0:80
2023-03-23 07:56:45.572 - info: acme.0 (904817) Shutting down challengeServer
2023-03-23 07:56:45.573 - info: acme.0 (904817) terminating
2023-03-23 07:56:45.574 - warn: acme.0 (904817) Terminated (UNCAUGHT_EXCEPTION): Without reason
2023-03-23 07:56:47.052 - error: host.iobroker instance system.adapter.acme.0 terminated with code 6 (UNCAUGHT_EXCEPTION)

[GermanBluefox]

As for plenticore adapter, it will be stopped during cert update, as this adapter can automatically detect all instances on port 80 and stop/start them automatically.
For your router problem: may be we can implement proxy to your device. @raintonr ?

node.js has simple proxies, but of course it will be the problem with sockets.

[raintonr]

I have made some more detailed notes on HTTP-01 usage:

https://github.com/iobroker-community-adapters/ioBroker.acme#http-01

I would suggest using DNS-01 challenge, or yes, trying a named HTTP proxy of your choice.

[Diginix]

Sounds all very effortful compared to the past.
But does I need that at all?
I use the Letsencrypt cert only in web.0 adapter with a myfritz domain name. I don't need it in admin. For the moment I need a renewal every 3 months, I setup the port forwarding in my Fritzbox router for port 80 to the local iobroker IP. The rest of the 3 months the port ist used for another device.
As long as these steps will continues to work, I don't need acme adapter I guess, or?

[raintonr]

Sounds all very effortful compared to the past.

In what way? The port configuration required for HTTP-01 challenges is identical.

Adapters can now actually share certificates rather than having to configure each adapter separately so that is actually easier.

DNS-01 challenges... well... depends if you find getting an API from your host easier than port forwarding, but that could actually be easier too.

But does I need that at all? I use the Letsencrypt cert only in web.0 adapter with a myfritz domain name.

If you want a proper (not self-signed) cert on web.0 then yes, you should use ACME.

I don't need it in admin.

So use self-signed of regular HTTP.

For the moment I need a renewal every 3 months, I setup the port forwarding in my Fritzbox router for port 80 to the local iobroker IP. The rest of the 3 months the port ist used for another device. As long as these steps will continues to work, I don't need acme adapter I guess, or?

So every 3 months you do some manual port changes to let LE renew your cert? How is that easy?

FWIW, you can still do this with ACME. Set the port stuff up, run ACME, put the port stuff back how it was.

Sounds to me that we could help you by having ACME execute a script to setup/teardown port forwarding when needed. You would have to write your own script that it would execute though. And if the script fails then chance your external service stops working. Not sure this is a good idea TBH.

What domain is your host you require a certificate on? If it's your own domain then I would strongly suggest using DNS-01 challenge.

[Diginix]

The LE cert renewal is done with the web.0 instance. I setup the port forwarding in router. Then I activate this checkbox in web instance and save:

This triggers the renew. After successfully finished I remove the port 80 forwarding for iobroker and set it up for the other device.
I don't understand how the renewal should be done by acme adapter. To let iobroker know what cert service and domain name I use it was setup in admin. This part is moved to acme, but not the renewal.

My domain is a subdomain of myfritz.net. The company offers this for all its router. I don't know whether there is a DNS-01 challenge for this instead of the port 80 stuff. I thought letsencrypt needs definitely port 80 for renewal.

Anyhow, my current cert is valid until 20. June. Latest then I have to know how the new stuff works. Especially if the old method wont work anymore.

[raintonr]

I setup the port forwarding in router. Then I activate this checkbox in web instance and save... This triggers the renew. After successfully finished I remove the port 80 forwarding for iobroker and set it up for the other device.

I have noted in the ACME readme how you can achieve the same result (scenario 3/solution iv): https://github.com/iobroker-community-adapters/ioBroker.acme#http-01

I don't understand how the renewal should be done by acme adapter. To let iobroker know what cert service and domain name I use it was setup in admin. This part is moved to acme, but not the renewal.

No. The renewal is done with ACME 7 days before a certificate expires. Moreover, even if you renew manually using the steps I describe in the readme, you do not need to restart your web instance as new/renewed certificates are picked up automatically and instantly by any adapter that needs a certificate. Part of why this new process is so much better.

My domain is a subdomain of myfritz.net. The company offers this for all its router. I don't know whether there is a DNS-01 challenge for this instead of the port 80 stuff. I thought letsencrypt needs definitely port 80 for renewal.

Yes, old LE method needed port 80 for order & renewal. As does ACME. No difference there as they both use HTTP-01 challenge.

In order to use DNS-01 challenge you need to demonstrate control of the domain. Unless you actually own a domain (and I'm assuming you do not have your own domain or otherwise you would not be using myfritz.net) you cannot do this.

I can still only guess at your use case, but it sounds to me like you have 1 server running on port 80 of your domain xxx.myfritz.net then a second server running on port 443 of xxx.myfritz.net for which you need a certificate. I would suggest:

1. Go to https://freedns.afraid.org/ and obtain 2 free subdomains. Let's say you choose xxx.mooo.com & yyy.mooo.com

2. Point these subdomains (in the afraid.org settings) at the IP address of xxx.myfritz.net or make them CNAME of xxx.myfritz.net.

3. Install a hostname based proxy (I believe ioBroker.proxy will work - is this correct @GermanBluefox?). Configure the proxy as follows:

   • xxx.mooo.com port 80 -> send to your current server. If your current server is on the same host, move it to run on a port other than port 80 - doesn't matter which port you choose because you are going to forward public port 80 requests to that.
   • yyy.mooo.com port 80 -> send to port configured for ACME HTTP-01 challenges.
   • yyy.mooo.com port 443 -> send to port your secure web instance is running on.

4. Configure ACME to obtain certificate for yyy.mooo.com using HTTP-01 challenge.

If you do this then you can have both your current service on port 80 and IoB secure web service constantly running and the secure service will be able to obtain/renew certificates automatically without the current manual intervention you are performing. Much better all round!

Anyhow, my current cert is valid until 20. June. Latest then I have to know how the new stuff works.

Do not worry, as described in the readme, the same result as you have now can be achieved. However, I would strongly recommend a better fully automated setup.

[Diginix]

Many thanks for your in-depth answers. Beside the currently used xyz.myfritz.net domains, I own an own domain with DNS service. So, it should be possible to use such as CNAME to be able to use the best practice methode with DNS challenge and no need to edit/change every 3 months port forwarding rules in router.

[raintonr]

Yes, DNS-01 challenge should work if you own a domain and it is hosted with one of the supported providers. Is your ISP in the supported list here: https://www.npmjs.com/package/acme

[Diginix]

My own domain, usually used only for email but provider offers DNS/CNAME config, is from German provider/hoster goneo.de.
So, I'm able to setup a CNAME for xyz.myfritz.net, but it wont work for LE DNS challenge I guess.
For the moment I'm fine with the knowledge you posted here and will see want I can use of it for future optimizations.

[raintonr]

No, goneo.de is not on the supported list. However, you could move to use Cloudflare free DNS which is supported.

Or use the name based proxy solution. Either way, seems you are happy with the answer so closing this issue.