Certbot renewal without HTTP Port


My domain is: cctv.tnwestpoint.co.uk

I ran this command: certbot renew --dry-run

It produced this output:
Attempting to renew cert (cctv.tnwestpoint.co.uk) from /etc/letsencrypt/renewal/cctv.tnwestpoint.co.uk.conf produced an unexpected error: Failed authorization procedure. cctv.tnwestpoint.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cctv.tnwestpoint.co.uk/.well-known/acme-challenge/DIc2ImfNPDgDLVJVkBNh6jfafang9mjSSnYrxD0VzH4: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cctv.tnwestpoint.co.uk/fullchain.pem (failure)

My web server is (include version): Apache 2.2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): n/a

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

My webserver I’ve configured to only allow HTTPs connections inbound and ideally I don’t want to be opening HTTP.

The above means I can only have the renewal since updating from 0.17 to 0.28.0 by enabling http inbound to the server. Is it possible to auto-renew with HTTPs only?


Hi @glennda37

yes, if you use http-01 validation.

You can use tls-alpn-01 - validation. But Certbot doesn’t support that, acme.sh does.

Or you use dns-01 validation.

Why isn’t it possible to open port 80? Security is a wrong argument, you can use redirects http -> https.


its a single box sat in my house and the only port needed was 443 (as its an app connecting to it, rather than browsers) which is why I was keeping the ports down, If it accepts http>HTTPS redirection I’ll leave 80 open and just use the redirect.

I’d initially just configured it on 443, so I had to add the 80 binding to get it to work.


Yes, that’s the solution. Add a 80-port binding and a redirect. But check that your redirect is correct, so that


is redirected to


not to


(sometimes seen).


Yes, I’ll ensure the requested page is re-written.