I want to make a hosting service out of a laptop. My ISP does not allow ports 80 and 443 to be opened. My domain is kotaz.ddns.net from no-ip. The router automatically updates its IP address (I have a gray address). I can make http servers by redirecting any ports to my laptop with arch, which performs the hosting role, but I would like to understand how I can create a certificate. I don't want to pay the provider to open port 80. What information should I provide? Is there a solution?
I ran this command: sudo certbot certonly --standalone -d kotaz.ddns.net
It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Detail: 220.127.116.11: Fetching http://kotaz.ddns.net/.well-known/acme-challenge/4I-_OdvEjfl0l6D9cKsqZjCQM3khX85XcVmTAoifkpI: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.
My web server is (include version): no server running, may be python + some lib in future
The operating system my web server runs on is (include version): Linux kotaz-pc 5.15.128-1-MANJARO #1 SMP PREEMPT Sat Aug 26 17:22:47 UTC 2023 x86_64 GNU/Linux
My hosting provider, if applicable, is: Localhost, Rostelecom ISP
I can login to a root shell on my machine: yes
I'm using a control panel to manage my site: no, ssh
The version of my client is 2.7.4
Basically, the use of inbound ports 80 or 443 is an absolute requirement from the Let's Encrypt CA for proving your control of your domain name via a direct connection to your server. However, there is one other method available to prove control of your domain name by creating DNS TXT records.
In Certbot you can do --manual --preferred-challenges dns-01 although this destroys the benefit of Certbot's automation (you would have to manually repeat the process frequently in order to renew the certificate). You can also look for a DDNS provider API plugin / integration script which may be available for your DDNS provider so that the TXT records necessary can be created automatically by software.
Note that the required TXT record is different for every certificate renewal, so you can't just create one once and leave that same one in place forever. That's why software integration with an API from the DDNS operator is valuable in this situation.