Do I have to open port 80 just to renew?

Got 12 days left to renew. I think just getting a error because I don’t have port 80 open to my server. Can I renew with port 443 https?

Maybe I will open port 80 renew and close it again. That’s junk if have to do that?

-Raymond Day

1 Like

If you are using the HTTP-01 validation, your webserver will need to be accessible on port 80. You can read more here:

If you don’t want to keep port 80 open or manually open it before renewal, you will need to use a different validation method, either DNS-01 or TLS-ALPN-01.


That is what I did. I had port 80 to another server and had to delete that and set it to my main server then ran certbot --force-renewal just doing certbot renew gave a error.

Now it says I got 90 days.

Then I set port 80 back to the other server.

Don’t get why have to do that can’t they just use port 443. The https port?

1 Like

They used to allow HTTPS authentication.
But there was a nasty “loophole” that allowed some users within a shared server environment to get issued certs from any unsecured domain on that system (names which they did not own nor control).
So for the time being the default HTTPS authentication is no longer an option.
There is a new more secure HTTPS authentication option that is available, but it is not yet a default/standard included option with most web servers; called HTTPS-ALPN.
And there is always also DNS authentication; which requires an ACME client and a DNS service provider capable of updating the DNS zone via API.
And also, if the default port 80 server would just proxy the port 80 requests to all other internal systems, you could still use port 80 (without having to muck with your port forwarding every 60-90 days).
[most web servers can be used as reverse proxies securely]


You can validate on port 443 using the tls-alpn-01 challenge. To get started with this type of challenge, read

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.