How to renew for Dynamic DNS host with no port 80?


Now that TLS-SNI-01 has been deprecated, I’m curious as to how one is supposed to renew their cert when using a system where port 80 is not accessible and DNS is controlled by an external entity (Dynamic DNS)?


Hi Quanah,

If you can’t use the DNS-01 domain validation challenge or the HTTP-01 domain validation challenge your only remaining option at this time is TLS-ALPN-01. This is a new challenge type that operates over port 443. Client/webserver support is not yet universal. Your best bet is to refer to this thread: Which client support tls-alpn challenge?

If your DNS provider allows you to add CNAME records you may be able to use DNS-01 challenges by delegating the _acme-challenge record through a CNAME to a different DNS provider that you can update programmatically with an API. ACME-DNS is one example of a project that could help with this.

Hope this helps!


Thank for the answer, but it doesn’t appear to help. I should have mentioned I’m using Apache HTTPD, where TLS-SNI-01 worked fine. It does not appear that certbot’s TLS-ALPN is supported with Apache HTTPD even though Apache HTTPD has TLS-ALPN support (


Unfortunately not. You may have to shut down the webserver (to free up port 443), use an ACME client with a standalone TLS-ALPN-01 challenge server, and then start the webserver again.

If you can’t open port 80 and you can’t use TLS-ALPN-01 I would recommend purchasing a domain you can fully control and using DNS-01. Unfortunately TLS-SNI-01 is not an option moving forward because of the security issues that forced its deprecation.


That seems a limitation of certbot, not Apache. As I noted above, Apache supports TLS-ALPN via the mod_http2 module. So shouldn’t it be possible to make it so certbot can do TLS-ALPN with Apache2?


Unfortunately no, Apache supports the TLS ALPN field but it does not support the ACME TLS-ALPN-01 challenge type.


Also, some dynamic DNS services, such as Duck DNS, do let you set TXT records to perform ACME DNS validation.


I had to dig a bit, but apparently the service I’m using does as well. I’ll switch to that until such a time as Apache HTTPD implements TLS-ALPN. :wink: Thanks!