No-ip, localhost, 80 blocked by ISP (Rostelecom) (Target: 0$ local hosting)

I want to make a hosting service out of a laptop. My ISP does not allow ports 80 and 443 to be opened. My domain is kotaz.ddns.net from no-ip. The router automatically updates its IP address (I have a gray address). I can make http servers by redirecting any ports to my laptop with arch, which performs the hosting role, but I would like to understand how I can create a certificate. I don't want to pay the provider to open port 80. What information should I provide? Is there a solution?

My domain is: kotaz.ddns.net (no-ip)

I ran this command: sudo certbot certonly --standalone -d kotaz.ddns.net
It produced this output:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: kotaz.ddns.net
  Type:   connection
  Detail: 212.119.40.99: Fetching http://kotaz.ddns.net/.well-known/acme-challenge/4I-_OdvEjfl0l6D9cKsqZjCQM3khX85XcVmTAoifkpI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

My web server is (include version): no server running, may be python + some lib in future
The operating system my web server runs on is (include version): Linux kotaz-pc 5.15.128-1-MANJARO #1 SMP PREEMPT Sat Aug 26 17:22:47 UTC 2023 x86_64 GNU/Linux
My hosting provider, if applicable, is: Localhost, Rostelecom ISP
I can login to a root shell on my machine: yes
I'm using a control panel to manage my site: no, ssh
The version of my client is 2.7.4

Hi @kotazzz,

Please see

This is also available in Russian at

Basically, the use of inbound ports 80 or 443 is an absolute requirement from the Let's Encrypt CA for proving your control of your domain name via a direct connection to your server. However, there is one other method available to prove control of your domain name by creating DNS TXT records.

In Certbot you can do --manual --preferred-challenges dns-01 although this destroys the benefit of Certbot's automation (you would have to manually repeat the process frequently in order to renew the certificate). You can also look for a DDNS provider API plugin / integration script which may be available for your DDNS provider so that the TXT records necessary can be created automatically by software.

Note that the required TXT record is different for every certificate renewal, so you can't just create one once and leave that same one in place forever. That's why software integration with an API from the DDNS operator is valuable in this situation.

2 Likes

I should add that once you have the certificate issued, it is valid for authenticating inbound connections on any port number. You could use it for port 4443 or something, if your ISP will allow that.

1 Like

You may want to peruse the Cloudflare Community to learn about using Tunnels.

3 Likes

There is no mention of no-ip. Also, I'm not sure that in the No-ip free plan I can manipulate TXT records. What should I do?

If you can't add/change anything in the DNS zone of your current dynamic DNS provider, your options are:

  • Change DNS provider to one which allows adding TXT records to the zone;
  • Change ISP to one which allows incoming connections to port 80 or 443;
  • Pay your current ISP to allow incoming connections to port 80 or 443.
3 Likes

Change DNS provider.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.