Certbot renew port 80 issue

I don't understand why certbot is not renewing my cert. My router is forwarding 80 and 443 to my PC, and I can access my Foundry VTT server via unsecure browser connection. Is there a way to for me to get around this port 80 issue and renew my cert?

My domain is: foundry.koogdarma.com

I ran this command: certbot certonly --standalone -d foundry.koodgarma.com

It produced this output:

Saving debug log to C:\Certbot\log\letsencrypt.log

Renewing an existing certificate for foundry.koodgarma.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: foundry.koodgarma.com

Type: connection

Detail: Fetching http://foundry.koodgarma.com/.well-known/acme-challenge/lEQzeAdFYN1LumnTPgRNHCKY-9DriZiqfbiafTDzy6s: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Foundry VTT Version 9 – Build 255

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is:


A @ record points to my IP address

A foundry record points to my IP address

CNAME www.koodgarma.com

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I don’t understand this question.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.21.0

Hi @KoodGarma and welcome to the LE community forum :slight_smile:

Have you been able to connect to your PC via port 80 from the Internet?
If not, then either:

  • the port forwarding is "off"
  • your ISP is blocking port 80

In either case, HTTP accessibility is required when validating via HTTP-01 authentication.

That said, there is another authentication method that doesn't require port 80: DNS-01
Which requires the use of a DSP (DNS Service Provider) that supports DNS zone updates via API.
And a plugin (for that DSP) available to your ACME client.


It looks like your ISP uses CGNAT.

Per discussion below, apparently not.

1 Like

Thanks! How do I authenticate using DNS-01?

1 Like

Thanks! How can you tell that? and what does that mean?

1 Like

I don't see a CGNAT IP:

Name:    foundry.koodgarma.com

Using DNS-01 [best practice (automated)]:
Requirement #1: Use of a DSP that supports DNS zone updates via API
Q: Who is the DSP?
Requirement #2: Use an ACME client that has a plugin that supports your DSP.
[which clients will work can't be determined until DSP is known]

You can also (not recommended) run through the DNS-01 authentication manually.
Which can be useful only to test it once (and ensure that method can work for you).


Looking up the IP owner information says it's owned by Cox. Googling "Cox CGNAT" has a lot of people complaining about it. That doesn't mean it definitely is CGNAT, just that it's worth looking at.


A: I see *GoDaddy"?

koodgarma.com   nameserver = ns23.domaincontrol.com
koodgarma.com   nameserver = ns24.domaincontrol.com

Sorry I'm not understanding how to use the DNS-01 approach. Is there a different certbot command line that I need to run in the windows powershell to do that?

I would recommend that you switch to another Windows client.

  • Posh-ACME
  • Certify The Web

Thanks sorry bit of a noob how do I do that?

OR for a "one-time manual test"...

certbot certonly --standalone --manual \
--preferred-challenges=dns -d foundry.koodgarma.com

It requires installing another ACME client.
Start here:
ACME Client Implementations - Let's Encrypt (letsencrypt.org)


Is it okay for me to just copy and paste that command into the powershell?

Yes; but you have to be prepared to do the "leg work".
[update the DNS TXT record with the string certbot provides (before pressing ENTER to continue)]


Thanks really appreciate your help, but oh man, I'm feeling like I'm in way over my head with all of this! Not sure what to do next.

1 Like

The simplest path is HTTP-01 authentication.
But the main requirement there hasn't been met.
[Or, it has been met, but with much resistance]

Why can't you reach your PC via port 80 (from the Internet)?


I want to get a certificate for my website.
Implies you actually have a "website".
Thus far, the Internet can't reach your "website".
So, do you really have one?
What good would it do you to get a cert?
[that no one can see/reach]

So, your biggest problem right now is the inbound access to your PC from the Internet.
Once that has been figured out, the rest will be easy.


I don't understand why port 80 isn't working. I've got port forwarding set up in Netgear Orbi settings for both port 80 and 443 to my PCs internal IP address, and port 443 shows open using portchecker.co