NAT Issue: Certificate Request from mail server when port 80 goes to web server

My domain is:

I ran this command:
“Request Certificate” from CertifyTheWeb

It produced this output:

Validation of the required challenges did not complete successfully. Invalid response from []: "

My web server is (include version):
Exchange 2016 & IIS (I’ve tried “Exchange Backend” as well as “IIS” options).

The operating system my web server runs on is (include version):
Windows Server 2016

My hosting provider, if applicable, is:
Me. (Virtual machine running on ESXi 6.7)

I can login to a root shell on my machine (yes or no, or I don’t know):
It’s Windows, so no root shell. Administrative RDP access.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

My Issue is that I’m new to certificates. I am requesting the certificate for a Windows 2016 server with Exchange 2016. Port 25 is forwarded via NAT to this server ( We have a TurnkeyLinux Wordpress virtual appliance which hosts websites; port 80 is forwarded to that VM (it hosts multiple domains of websites, including Part of the process appears to require to exist. However, “” does not exist as a website (it’s just a mail server). We do have a pair of domain controllers and DNS works just fine within the LAN.
Presumably I could create something on our Wordpress appliance, but it would not certify the mail server, so presumably that’s a bad idea. What’s the right way to complete this process?

Looks like I’ve got progress. I went to Authorization (in my CertifyTheWeb client), and switched “challenge type” from HTTP-01 to DNS-01. We use DomainsPricedRight for external DNS, so I selected “Update DNS Manually”. I then went to “Deployment” and entered 25 in “Bind to Specific Port”. I saved and it told me to add a TXT entry to DNS, so I’ve done that via DomainsPricedRight. So far so good.

Hi @ProBiz

I don't see really a problem.

mail is defined as CNAME ( ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout C yes 1 0
A yes Name Error yes 1 0

and checking the ip it works:

Domainname Http-Status redirect Sec. G 500 0.417 S
Internal Server Error -14 10.024 T
Timeout - The operation has timed out 404 0.240 A
Not Found

You can ignore row 1 and row 2. Important is, that row 3 works - port 80 is open, there is the required answer http status 404 - not found.

The server:

Server: Apache

So you should be able to create a certificate using the webroot of that server.

Dns-01 validation may work. But Letsencrypt certificates are only 90 days valid, so you have to do manual things every 60 - 85 days.

Thanks for your reply. We have one external IP: There are two internal IPs: the Windows/Exchange/IIS server, and the Turnkey/Wordpress/Apache server. I will eventually want to generate certs for the Apache server, but right now I’m working on the mail server. When you query you are not getting to the IIS server; you are getting to the Apache server (as you noted). Do you mean to say that I could create a certificate using the webroot of the Apache server and then apply that cert to the IIS server?

I agree that manual processes are not optimal, but I have an existing (paid) cert on the mail server that’s expiring in 2 days, so I’ll take “manual” over “expiring” and just look to improve the process later. As for now, I have managed to make it work with DNS-01 and HTTP-01 has not shown that it works for my situation (unless we are able to create certs on the Apache server and hand them out to other servers on the LAN, but I imagine that even if that’s okay to do, it’ll also be a manual process).

Yes, that Apache is visible and answers with the expected result.

So the webroot of that Apache should work to create a certificate.

That's one option using a CNAME - there is an answering webserver, that's enough.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.