Authorization with port forwarding(80, 443 not available, dns-01 fails)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
I try to run dns-01 manual record challenge. We bought a domain name from a hosting provider, but we have our own dedicated server with hyper-v and bunch of VM’s. They are all connected, one of them hosts DNS is installed on other machine. I create the record in the dns manager. And it seems that it finds the record, but it still does not issue the certificate. We made a port forwarding to It is only accessible through 44444. So http validation is not an option as I understand

It produced this output:
[INFO] Answer should now be available at
[DBUG] Querying name servers for
[DBUG] Querying IP for name server
[DBUG] Name server IP identified
[DBUG] Using random name server
[INFO] Preliminary validation succeeded: 2CaTtULlsXI3kMuICFKD-wisX-bYqdJt8ORG4JMCdqE found in 2CaTtULlsXI3kMuICFKD-wisX-bYqdJt8ORG4JMCdqE
[DBUG] Submitting challenge answer
[DBUG] Send POST request to
[DBUG] Refreshing authorization
[DBUG] Send GET request to
[EROR] {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: NXDOMAIN looking up TXT for”,
“status”: 400
[EROR] Authorization result: invalid

My web server is (include version):
we host qlik sense

The operating system my web server runs on is (include version):
windows server 2016

My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): win-acme.v2.05.246

if you are using manual dns, you need to actually change actual TXT record of requested domain accordingly.
it detected name server as, witch is private ip. it what real public faced DNS server?

I get this answer when I do nslookup
Server: router

Non-authoritative answer:

But the actual server IP is We do forwarding from the router on port 44444.
Regarding the TXT record. I do it on the DNS server which resides on And it seems that the acme client finds the record:
[INFO] Preliminary validation succeeded: 2CaTtULlsXI3kMuICFKD-wisX-bYqdJt8ORG4JMCdqE found in 2CaTtULlsXI3kMuICFKD-wisX-bYqdJt8ORG4JMCdqE

is that DNS server accessible from internet? or synced to public server?

how do I check that? And if it is not, how should I obtain the SSL for the domain

Your DNS seems to be hosted at Did you add the TXT record in their zone file editor? Or somewhere else?

Because I’m not really seeing your domain names DNS services being “relayed” to your IP address. It all ends at ns1 to

You’ve probably set up some kind of DNS resolver service locally with a zone for your domain name which can be used locally, but isn’t used globally.

as you got domain from you need to change DNS from that site.

Oh, I see. I will try to obtain the access, so I could edit in their zone file editor and then will update if it worked. Thanks. One more question, is it really not possible to do http-01 challenge if 80 or 443 ports are not available?

http-01 need to be first reply on port 80, but it will follow redirect to anything http or https.

Hi @Kapachinskas

checking your domain you should be able to use http-01 validation ( ):

Domainname Http-Status redirect Sec. G 200 0.110 H -14 10.026 T
Timeout - The operation has timed out 404 0.100 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at Port 80

Port 80 is open, checking /.well-known/acme-challenge/unknown-filename there is the expected result http status 404 - Not Found.

If you run Certbot on that server

Server: Apache/2.4.29 (Ubuntu)

with the webroot option, that should work.

I mean I don’t know why it says that it is Ubuntu server, because I’m logged in and this is Windows Server 2016. I tried to do the http-01 challenge with win-acme client, but no use. I’ve done it on other servers with no issues at all. But I had never encountered where the 80 port is not available directly. I lack the knowledge at the moment to fully understand how this port forwarding actually works.

Check the router configuration.

That may be routet to another server.

There running Certbot should work to create a certificate.

Thanks for the advice. I will try to do that sometime. But for now I resolved the issue by adding the DNS record in the right dns zone.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.