Cant get my cert due to ISP blocking port 80

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot --apache

It produced this output:certbot failed to authenticate invalid repose from

My web server is (include version): apache2

The operating system my web server runs on is (include version): ubuntu server 22.04

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.6.0

I know the issue is that since my ISP is blocking 80 traffic when it trys to hit my domain the traffic is getting dropped at my ISP. I tried requesting the cert on port 8080 and forward it to port 80 but it still trys to reach out to instead of so it fails when trying to get the certificate

If your ISP blocks port 80, there are two other challenge types you could try: TLS-ALPN or DNS-01. You can tell certbot to listen on any port you like, but the Let's Encrypt servers will always try to connect on port 80 when using the HTTP challenge.

But since you're using Cloudflare for your DNS, the DNS challenge should be a very viable option.


okay do you have any experience with that option? I can try and look into it tonight.

Maybe review this section on DNS Challenges first


I also have the problem of the ISP blocking port 80, so I have all my web traffic is on port 443.

I do not use Cloudflare so I'm not sure if the DNS challenge suggestion is meaningful. I do notice in the link provided for dns-plugins that they have a sample configuration file for the renewal function (/etc/letsencrypt/renewal).

In that file they have an option that says:

Uncomment to use the standalone authenticator on port 443
authenticator = standalone

When I use that option the renewal still fails. The log files show that they tried port 80 but not port 443.

Any suggestions? Port 80 is not an option with this ISP. Not even temporarily.

@cmhood Please open a new thread with your concerns. Advice for you will be much different


i got it working with the DNS 01 thanks guys


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.