Forwarded Domain Support


Ok, my setup might be a little complex due to the servers I have setup. I will TLDR; as much as I can.

  • I have a domain registered in
  • My TLD is forwarded to some landing page hosted by
  • I have a subdomain called home.TLD which points to my ISPs public IP provided to me
  • I have a container (lets call this SSL termination container) running this: which has the local IP which is listening to 11080 (for acme http verification) and 11443 which is then forwarded to another container (which I need the SSL for)
  • In short, the container serves as my SSL termination for services inside my network
  • In, I have the ability to create forwards. Ive created sslstream.TLD to forward to home.TLD:11080 (this way this could reach my home IP with a specific port)
  • In my router I have set to forward 11080 from the outside to the IP running the container
  • The Docker image lets you specify a domain to generate a certificate for, so i’ve set sslstream.TLD

So all in all

sslstream.TLD — (via url forwarding) —> home.TLD:11080 — (via port forwarding) —> ----> SSL termination container

My problem is, its not reaching it. I dont know if ACME challenge hates URL forwards or cant/wont do forwards or if its the container which is misconfigured.



I’m not exactly understand how’s url forwarding works, but I believe that let’s encrypt probably won’t follow this specific redirect…

Thank you


Hi @pogz,

Seems uses 2 types of url forwarding masked and redirect.

If you are using masked one then it won’t work because it uses frames and LE won’t understand them.

If you are using redirect, it could work, LE follows redirections but only to domains and only to ports 80 and 443 so if you are redirecting http://sslstream.tld to http://home.tld:11080 LE won’t follow the redirection. If you could forward http://sslstream.tld to http://home.tld and configure your home router to port forward port 80 from it to your internal server on port 11080 it would work because that port forwarding is transparent to LE.



Thanks man! Im avoiding grabbing port 80 from home.tld since a lot of my health checks would go haywire. But looks like I have no choice until I properly setup everything.

Greatly appreciate the clarification about what LE forwarding.


One other thing to bear in mind however: if you use a redirect then the domain displayed in the browser URL bar will be home.tld rather than sslstream.tld so you’ll need a certificate for home.tld (if you have port 80 forwarded to your internal server, that should be no problem to obtain). You can get both, of course, provided actually allows you to install certificates on their redirection servers (I don’t know).

If you want the sslstream.tld domain displayed in the browser, you may want to use a CNAME record rather than a redirect.

If you really want to avoid using port 80, you could try the DNS challenge, for example supports’s API.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.