Let's encrypt new cert issue no longer working

Like desribed here:

can somebody confirm?
Renew existing certs works fine…

Maybe related to the fact that letsencrypt disabled one of the methods to register a certificate because it could be abused in some hosting scenarios:

1 Like

You are absolutely correct.

you have to call acme.sh with --standalone instead of --tls and open port 80 instead of 443. Then it works perfectly. May somebody fix this howto:


Add file add80.gw

 config redirect
         option target 'DNAT'
         option src 'wan'
         option dest 'lan'
         option proto 'tcp'
         option src_dport '80'
         option dest_ip '<TURRIS_IP>'  
         option dest_port '80'
         option name 'Turris  Lets encrypt'

Modify file get_acme.sh

 # Backup firewall config
 cp /etc/config/firewall  /etc/config/firewall~
 # Update firewall rules to remove any forward of port 80 on WAN (temporary port is 64436)
 cat /etc/config/firewall~ | sed -r "s/^(\s*)(option)(\s*)(src_dport)(\s*)'(80)'(.*)$/\1\2\3\4\5'64436'\7/" > /etc/config/firewall
 # Update firewall rules to allow access via port 80 from internet to acme.sh
 cat add80.gw >> /etc/config/firewall
 /etc/init.d/firewall reload
 # Stop lighttpd as acme.sh is starting its own daemon
 /etc/init.d/lighttpd stop
 # Trigger request to Let's Encrypt (and ensure to have the directory)
 mkdir -p /etc/lighttpd/certs
 ./acme.sh --issue --standalone -d <DOMAIN> --certhome /etc/lighttpd/certs --ca-path /etc/ssl/certs
 # Prepare the certificates for lighttpd
 ./acme.sh --install-cert -d <DOMAIN> --certhome /etc/lighttpd/certs  --cert-file /etc/lighttpd/host.crt --key-file /etc/lighttpd/host.key --fullchain-file /etc/lighttpd/fullchain.crt --reloadcmd  "cat /etc/lighttpd/host.crt /etc/lighttpd/host.key > /etc/lighttpd/hostkey.pem"
 # Start lighttpd again
 /etc/init.d/lighttpd start
 # Restore firewall to original state
 mv /etc/config/firewall~ /etc/config/firewall
 /etc/init.d/firewall reload

That is not completely correct. It was only disabled for issuance of new certificates. Renewal is - for now - still possible (please refer to: https://community.letsencrypt.org/t/important-what-you-need-to-know-about-tls-sni-validation-issues/50811 Renewals will continue to work with TLS-SNI, so if you only need to renew certificates, you don’t need to take any immediate action, but you should continue to keep your ACME client software up-to-date.)
But update of how-to should for sure be done.

Noted. Give me some time to investigate and update.

Edit: It will take some time. It requires small changes in whole guide cause the standalone vs. tls methods are using different ports.

OK, the guide is updated.

It is based on infromation provided by Let’s Encrypt and tests against Staging server. I did not change my certificates in real.


  • download newest acme.sh ; with the old one issuance did not work to me for unknown reason
  • DO NOT change you renewal procedure unless you generate completely new certificate with the new method ; right now renewal works with TLS-SNI