Issuing certificate standalone

exo · November 5, 2025, 4:58am

Hello, I'm trying different methods to issue certificate to my website, and what methods i tried.
certbot nginx method, not work because provider blocking 80 port, then I tried standalone method with defining --http-01-port 8080, but getting error
Invalid response from https://site.com/.well-known/acme-challenge/vO_zsasa: **404** my thoughts is certbot ignoring --http-01-port 8080 and try 80 port, see the nginx redirect and to connect 443, there is no well-known directive in nginx.

I tried acme.sh with nginx mode and getting error like Invalid response from https://site.com/.well-known/acme-challenge/vO_zsasa: **404**. And i'm think script see the redirect inside 80 port config and try to connect to 443 port, but there is no .well-known directive. I tried to modify acme.sh script to add .well-known directive to both. 80 and 443 port, but there other error like error during secondary validation http://site.com/.well-known/acme-challenge/
I'm think letsencrypt will not work with https in http-01 challenge type.

I can't use dns challenge method, beacuse my dns registrator don't allow edit dns records, and don't provide control panel to edit records, only write a letters and wait, take a long times.
tls-alpn method does not work too.

Please don't ask which country is it, that don't help in this utopia situation, contact with provider to open 80 port also uselessly.

Any other methods to automate ussuing and renew certificates?

MikeMcQ · November 5, 2025, 5:07am

If port 80 is blocked no HTTP Challenge will work as ACME requires it to begin at port 80. The --nginx method uses an HTTP Challenge.

So does the --standalone option. The port 8080 you tried is only if Certbot is running on a device proxied to on that port. The incoming challenge still arrives on port 80 from the Let's Encrypt server.

Correct. The HTTP Challenge is sent using HTTP on port 80. You can redirect the request to port 443 but you must be able to handle it on port 80.

You don't have to change your registrar but can you change your DNS Servers? Something like Cloudflare is commonly used and is well-supported by Certbot.

If you can't change your DNS Servers can you add a specific record to delegate the challenge from them to a provider that allows it? See: Challenge Types - Let's Encrypt

exo · November 5, 2025, 5:14am

It is a government registrar with something like national domain zone like domain.com.tr, and will never allow to change dns to cloudflare, any others. That's why I'm searching other methods like http challenge methods

MikeMcQ · November 5, 2025, 5:30am

Is port 443 blocked also? Because other ACME Clients support TLS-ALPN (like lego client)

For Let's Encrypt those are the only three challenges: HTTP, TLS-ALPN, DNS

exo · November 5, 2025, 5:40am

Think so, tried again seems to be error connection refused, i'm guess tls-alpn other port will don't work with letsencrypt?

MikeMcQ · November 5, 2025, 6:07am

Let's Encrypt supports tls-alpn on port 443 but Certbot does not support that challenge. What did you try exactly

And with those ports blocked what do you plan to run using a cert?

Caddy server or Lego client do as do some others

exo · November 5, 2025, 6:15am

acme.sh, I thought if i try different ports, not 80 and 443

MikeMcQ · November 5, 2025, 12:35pm

No, the ports are used for the requests are required by the Let's Encrypt ACME Server. The ACME Client cannot change them.

Sorry, I just noticed the "secondary validation" error. This means the primary Let's Encrypt server was able to reach you on port 80. But, that one or more of its secondary centers around the world failed. This sometimes happens when people have a firewall blocking geographic regions. There can be other reasons.

I am starting to think you just have your communications config or a firewall not setup correctly. You said your provider blocked port 80 but a VPS usually is some hosting service and it would be odd for them to block that. And, the "secondary" validation error means port 80 was open at least partly.

Please answer more of the questions on the form you were shown (below). I think you may have reached incorrect conclusions about the reasons for the failures.

=====================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

exo · November 5, 2025, 12:57pm

VPS pure clean as well, no any filter rules there. Then in check in many of them, about 10 vps in same provider. It can't be that I could have set something up incorrectly on all 10. But if letsencrypt cannot work with ports other than 80 and 443, then http-01 verification will not work

MikeMcQ · November 5, 2025, 1:58pm

Maybe so but as I said if you see "secondary" in the error message that means the primary Let's Encrypt center did get through (it is in the USA). The secondary centers are not activated unless the primary succeeds. You should see this in your access logs.

HTTP-01 challenge only works on port 80 (although once your server receives it the request can be redirected - but should not be necessary).

TLS-ALPN challenge uses port 443 but requires ACME Client to setup the response properly. Certbot does not.

I'll ask once more ... If HTTP or HTTPS requests cannot reach your VPS using normal ports what do you plan to use them for? You showed using --nginx option so what kind of requests is that nginx going to handle?

Osiris · November 5, 2025, 6:17pm

The options in ACME clients to change the challenge ports are just there for e.g. NAT portmapping, e.g., if externally incoming TCP port 80 is mapped in a firewall to internal TCP port 8080. Only in such circumstances does it make sense to change the challenge port on the client.

exo · November 6, 2025, 4:41am

When I first tried using acme, I thought that the script sees a redirect to https inside the config and tells letsencrypt to connect using https, and letsencrypt tries to do this, but gets a 404 error

site.com: Invalid status. Verification error details: 1.2.3.4: Invalid response from https://site.com/.well-known/acme-challenge/: 404

because there is no well-known dirtective in https added by acme.sh, then I decided to change the script and make well-known dirtective be added to https, but now I get the error in secondary validation

Invalid status error. Verification error details: During secondary validation: 1.2.3.4: Fetching http://site.com/.well-known/acme-challenge/: Connection refused

As i understood, first validation successfully reach my server via https and sometimes via http too
But secondary validation, unlike the first one, tries to access http and gets the Connection refused error. Don't know, but if secondary validation use https, maybe it worked

exo · November 6, 2025, 4:45am

local traffic works good inside intra of country, i don't have any choise to change it to normal hosting, strong filtration to outside traffic, today foreign hosting work, tomorrow it can be blocked)

MikeMcQ · November 6, 2025, 5:08am

If you get a 404 error that means the connection from Let's Encrypt to your domain worked. But, something else was wrong with your ACME Client or web server configuration. It means your HTTP (port 80) request was not blocked. At least not for the primary Let's Encrypt center in the USA.

Let's Encrypt cannot start with an HTTPS request for an HTTP Challenge. Not for any of its validation centers. An HTTP Challenge must begin with an HTTP request on port 80. Always. That is required by the ACME protocol and industry standard requirement.

Let's Encrypt currently checks from 5 locations around the world and some of those are not in the USA. One or more of those are likely getting blocked. There may be more locations in the future and other countries too.

If you can't allow access for an HTTP Challenge (or TLS-ALPN on port 443) you won't be able to use those methods.

You also said your DNS provider does not allow adding TXT records for a DNS Challenge.

You won't be able to get a Let's Encrypt cert without one of those 3 ways.

You could try purchasing a certificate from somewhere else. Perhaps someone will sell you a certificate using some other method to prove you control that domain.

exo · November 6, 2025, 5:22am

Yes, I said above "I thought"

Patryk · November 6, 2025, 2:17pm

If you can set up a CNAME record, then you could utilize acme-dns, i.e. CNAME the _acme-challenge.site.com to their public service, and use dns-01 validation method with a compatible DNS plugin.

Topic		Replies	Views
Standalone certonly http-01 insufficient authorization Help	28	5154	December 28, 2017
--http-port-01 option not working Help	9	12404	July 19, 2017
Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA Help	83	273387	March 20, 2018
Renew certificate in a port other than 443 Help	12	2905	August 28, 2019
Error creating certificate(s) Issuance Tech	13	3635	March 20, 2018

Issuing certificate standalone

Related topics