Lets Encrypt does not use port given in configuration (not 80)

[hauard]

Describe the issue you are experiencing

The addon does not use my custom port when running, thus it fails renewing certificate.
It only uses port 80, which for me is unavailable.

Log from failed renewal below

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Let's Encrypt

What is the version of the add-on?

4.12.7

Steps to reproduce the issue

1. Changed the port in the configuration, hit 'Save,' and started the addon.
2. Rest is found in the logs

System Health information

System Information

version	core-2022.12.6
installation_type	Home Assistant OS
dev	false
hassio	true
docker	true
user	root
virtualenv	false
python_version	3.10.7
os_name	Linux
os_version	5.15.76-v8
arch	aarch64
timezone	Europe/Oslo
config_dir	/config

Home Assistant Community Store

GitHub API	ok
GitHub Content	ok
GitHub Web	ok
GitHub API Calls Remaining	4993
Installed Version	1.28.4
Stage	running
Available Repositories	1157
Downloaded Repositories	11

Home Assistant Cloud

logged_in	false
can_reach_cert_server	ok
can_reach_cloud_auth	ok
can_reach_cloud	ok

Home Assistant Supervisor

host_os	Home Assistant OS 9.4
update_channel	stable
supervisor_version	supervisor-2022.11.2
agent_version	1.4.1
docker_version	20.10.19
disk_total	219.4 GB
disk_used	14.3 GB
healthy	true
supported	true
board	rpi4-64
supervisor_api	ok
version_api	ok
installed_addons	File editor (5.4.2), Home Assistant Google Drive Backup (0.109.2), NGINX Home Assistant SSL proxy (3.2.0), Samba share (10.0.0), Node-RED (14.0.0), SSH & Web Terminal (13.0.0), Log Viewer (0.14.0), Mosquitto broker (6.1.3), Let's Encrypt (4.12.7), Grafana (8.1.0), InfluxDB (4.5.0), AppDaemon (0.10.1), MQTT IO (0.1.3), Glances (0.17.1), ESPHome (2022.12.0), Leaf2MQTT (44)

Dashboards

dashboards	3
resources	4
views	9
mode	storage

Recorder

oldest_recorder_run	12. desember 2022 kl. 12:30
current_recorder_run	15. desember 2022 kl. 00:41
estimated_db_size	416.09 MiB
database_engine	sqlite
database_version	3.38.5

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[09:19:40] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for mytopsecretdomain.com
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: mytopsecretdomain.com
Type: connection
Detail: 8.8.8.8 (top secret IP): Fetching http:https://mytopsecretdomain.com/.well-known/acme-challenge/BlFg34P6rEzwAZe3bRtyikQU5Hi3SJELUFAI07fqaWQ: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

Additional information

No response

[hauard]

Edit:
Seems like addon is using the custom port, but lets encrypt servers is trying on 80 for the challenge files.

[hauard]

Image of configuration-page for the addon:

Also tried adding this into the yaml manually:

ports:
  80/tcp: mysupersecretportnumber

and this:

ports:
  mysupersecretportnumber/tcp: mysupersecretportnumber

It looked like this:

Online port-checker says custom port is open when running the addon

[avermeer-tc]

This is not a supported feature. It only exists for testing and staging:

  --http-01-port HTTP01_PORT
                        Port used in the http-01 challenge. This only affects
                        the port Certbot listens on. A conforming ACME server
                        will still attempt to connect on port 80. (default:
                        80)

https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.