Create SSL for apache (WAMP)

Hello everyone! I tried to create certificates to ssl on my website, and still getting errors.

the domain is a ddns subdomain created in redirected to windows 10 running wamp.

My domain is: (apache only listen 8081 port)

I ran this command: (from CMD as admin)
certbot certonly --webroot -w C:\wamp64\www\juridico -d --http-01-port 8081 --agree-tos --email

It produced this output:
C:\Windows\system32>certbot certonly --webroot -w C:\wamp64\www\juridico -d --http-01-port 8081 --agree-tos --email
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Type: connection
Detail: Fetching Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): WAMP 3.3.0 64bits (apache - Mysql 8.0.31 on windows 10 22H2)

The operating system my web server runs on is (include version): Windows 10 22H2

My hosting provider, if applicable, is: localhost

I can login to a root shell on my machine (yes or no, or I don't know): "cmd" as admin.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no panels.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.2.0

I can see login page from, router with 8081 open in TCP/UDP, and trigger same ports, windows firewall with port 8081 open TCP and UDP, not installed any other alternative security softwares)

thanks in advance for any help.

Hello @zamael, welcome to the Let's Encrypt community. :slightly_smiling_face:

The HTTP-01 challenge of the Challenge Types - Let's Encrypt can only be done on port 80.
Best Practice - Keep Port 80 Open


As stated above, the HTTP-01 ACME challenge request will traverse the Internet via HTTP [port 80] only.

This will only change the local HTTP port [behind the firewall/NAT router (if one exists)]:


I know --http-01-port works with standalone. And, for apache and nginx authenticators to identify the virtual hosts that get the temp config changes.

But, what affect would it have with certonly webroot?


I only find one port open with nmap -Pn, namely 8081

$ nmap -Pn
Starting Nmap 7.80 ( ) at 2023-03-22 01:00 UTC
Nmap scan report for (
Host is up (0.19s latency).
Not shown: 999 filtered ports
8081/tcp open  blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 71.58 seconds

The command, as shown, should ignore the provided port.
--webroot should force the direct use of that path (ignoring the service port).
And certonly ensures that it won't try to install the cert.

So, it would have no effect.
The command is clearly NOT doing what they expect.


As http validation only starts on port 80 you would have to forward external port 80 requests from your router to the server on port 8081. That way when Let's Encrypt looks at your website to confirm you control the subdomain it will try but internally you will be forwarding that to http://:8081

Note that there are rate limits etc for domains and since you don't control so you may simply not be able to get a cert for that domain.


AND also:
Readjust the command line to get that alternate HTTP port used.
As the command was written, it won't be used at all.


hello! and thanks for all your replies.

I achive to create ssl certificates, open port 80 and create certificates with:

certbot certonly --webroot -w "C:/wamp64/www/" -d --agree-tos --email
and now is working on ssl.

Now, my big problem is:

today we have a 1 static public ip and 3 machines as a servers. Internally, we take ports to make difference between servers, so we have 3 servers (computers with windows 10 and wamp) running under same domain.

it's possible to create a ssl certificate to every server we have? all use same config (wamp 3.3.0 64bits)
this is why I try to create a certificate to specific port.

I don´t know if is the correct place to question this, but any piece of information will be appreciated.

P.S. sorry, poor english.

They all have the same name. That means you could use the same key and certificate on all three hosts.

You could also look into using a hostname based reverse proxy to make things easier and put all three severs on standard ports. You would probably need your own domain to pull that off, though. It might be a good project for another time.


The server uses Apache version 2.4.54.
Which is very capable of doing SNI.
You could easily obtain three separate names from and get a cert for each one.
And connect to them via the normal ports [HTTP & HTTPS].

curl -Ii
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2023 00:46:23 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1s PHP/8.0.26 mod_fcgid/2.3.10-dev
Last-Modified: Wed, 22 Mar 2023 17:09:20 GMT
Accept-Ranges: bytes
Content-Length: 63
Vary: User-Agent
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Content-Type: text/html

As an aside, it's worth mentioning that your own custom domain can be had for less than $10 USD per year and you can get a cloud hosted virtual machine to run your website on (linux, but windows is available) starting at about $3.50 per month (AWS lightsail).

It's harder to reliably host the infrastructure for a website yourself than it is to just let a cloud hosting provider do it for you, it's also potentially more expensive to host at home because you are paying for the electricity (which is around $50 per year for a basic machine and much more for a standard desktop) and if your machine is compromised via a remote hack you generally stand to lose more than just your website.


hey buddy!

thanks for your reply, indeed in this way, today I achive what I need.

3 diferents servers, using 3 external ports, using same certificate.

I have to say thank you to all of you guys for all comments, ideas and help.


tell me about maintaince of a structure to this proyect, but it's a requirement from client, because they need physical access to USB ports, bc they use a usb token to sign with certificates, files in pdf.

try to convince to use java applet for that, but no. he wants tokens (plural) coneccted to only one machine and everybody can sign, so ... here we are.

thanks anyways for time invested in your response.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.