Implications of port forwarding non-standard HTTP ports

I have two local development ubuntu servers which are on a network in my home. I have configured my home router to forward public ports 80 and 443 to Server 1 on private ports 80 and 443, and to forward public ports 8080 and 8443 to Server 2 on private ports 80 and 443. Server 1 has a webserver running within a docker which is bound to ports 80 and 443, and Server 2 runs a Nginx webserver which listens to ports 80 and 443.

Normally, I would configure to use TLS by executing sudo certbot --nginx, however, for Server 2 (the one using non-standard ports), certbot identifies all the domain names but is unable to authenticate them. My assumption is after I execute the command, the request is initiated but then the LetsEncrypt server responds to the correct IP (my public home IP), but to the incorrect ports (80 and 443 instead of 8080 and 8443) and it goes Server 1 which obviously knows nothing about it instead of Server 2.

Any thoughts (other than temporarily reconfiguring my router to use standard ports for Server 2) how to resolve?

Thank you!

1 Like

HTTP-01 challenges require port 80. If you are unwilling to do that, you are left with the DNS-01 option, because the TLS-ALPN-01 challenge also requires a standard port on 443.

I am not a fan of the use of non-standard ports as they tend to be detrimental to usability. I would employ hostname based traffic routing were I in a similar environment. That comes with its own learning curve that is beyond of the scope of this forum.

DNS-01 assistance is on-topic here, though, so if you have questions about how to set that up, you are in the right place.


To add to @linkp well described usage of Port 80 & 443 as well as the challenges; here is a link to the

  1. HTTP-01 challenge
  2. DNS-01 challenge
  3. TLS-ALPN-01

Cheap router cannot do HTTP host-based routing. You are stuck with routing all traffic to Server 1 and set up a virtual host as as reverse proxy to Server 2.

That's essentially what hostname based routing is. Whether you deploy it directly in the router or on one of the servers shouldn't make much difference.

If that option is not to your liking, running DNS-01 on the host that uses non-standard ports would be another option.

Obtaining the certificates on server one and copying them to server two is another option, but it is my least favorite.


Thank you all for your response. I will be reviewing each in more detail before asking anything else. Thanks again!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.