Hi all, I have a success story to share and a tip for other people using port redirection. I have a small server with Apache listening on port 4443, but not listening on port 443. I use iptables to redirect port 4443 to port 443 externally. As a result of my configuration, when letsencrypt tries to perform a tls-sni-01 authentication, the new/temporary VirtualHost doesn’t work because it is using the wrong port number.
The solution I found is to specify the port Apache is listening on using the “–tls-sni-01-port” command line option. The letsencrypt client will use this port instead of port 443 when creating the temporary VirtualHost, and then Apache will be able to respond to the SNI challenge properly. In my case, this meant changing the command line to “letsencrypt --server=https://acme-v01.api.letsencrypt.org/directory --domains=davidsherenowitsa.party --apache --tls-sni-01-port 4443”.
I hope this helps, and if anyone needs more help or clarification, I’m happy to assist!