Install certbot when intentionally port translating

So you mean external people (like me or anyone else on the internet) would have to type in https://xymon.watersprings.net:11443 to get to your site?

Or do you mean it the other way around? That your Apache is listening on port 11443 and that your firewall translates my request on port 443 to the port 11443 on Apache?