Is the DNS challenge my only option?

My domain is:

I ran this command: sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/ --preferred-challenges dns --debug-challenges -v -d

It produced this output: N/A

My web server is (include version): Nginx 1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: Gandi for domaine name, O2Switch for DNS entries

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.31.0

Hello !

I have an Ubuntu virtual machine set on a server in our local network.

The network is protected by a Fortigate firewall.

Outside of the network, I have a domain "" and a web hosting on O2Switch.

I have created a subdomain "" that redirects on the static IP of our network and configured the firewall to allow requests coming from the outside on a specific port and redirect them on the Ubuntu machine where nginx handles them.

The thing is that we have many machines running in the network that can be accessed via our static IP and the only way I know of to properly redirect request in the firewall to a machine or another is by using different ports (but maybe I'm wrong there).

So ports 80 and 443 are already used for another server and in order to access the server I want to be linked to, I had to use custom ports (let's say 8091 and 4523).

I hoped I could tell certbot to use the usual HTTPS challenge, but with a different port, but I didn't find anything about that.

I tried to setup the certificate directly on my DNS provider, and it is generated properly, but not used at all (I guess this is because my subdomain's target is not directly on the web hosting but merely redirected to the static IP of my network ? The only place to put a certificate is on the host machine ?)

So I used DNS challenge instead, which works fine but can't be easily automated. I saw in another post that it could be done, depending on the DNS provider, but mine isn't on the list.

Could someone please tell me if DNS validation and manual installation really are my only solutions there, or if I am missing something ?

That is not possible. The Let's Encrypt servers must use HTTP (port 80) for the HTTP Challenge request. You can redirect it to HTTPS (port 443) but no other port. Certbot can listen on a different port but your firewall must redirect the port 80 challenge request to that certbot port. It sounds like you can't do that so a DNS challenge is best.

The command in your post looks like it can automate the DNS Challenge. I am not expert at that method but did you follow the instructions here:


If that server can proxy the HTTP requests to your system, then you can still use HTTP-01 authentication.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.