Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Try using the DNS-01 challenge, it doesn’t require access to your server. Choose a DNS Provider that supports an API that can create, edit, delete DNS Records. Only TXT are required.
I'm pretty much a dummy when it comes to this stuff, but I don't see how to initiate a DNS-01 challenge in certbot. If I use the --manual option it tries to authenticate me via the http option by me placing a particular file in a particular place. And then I get the error that it needs port 80 to do the authentication.
Port 80 is blocked by my ISP, and port 80 is being redirected to 8080 by noip.com
You could also use Caddy rather than Apache's mod_md. Caddy also defaults to TLS-ALPN (which uses port 443 rather than 80), and is IMO considerably easier to configure.
It's very easy indeed. It does default, IIRC, to getting certs from ZeroSSL rather than Let's Encrypt, but pretty much a cert is a cert. It's generally my go-to choice for a web server or reverse proxy.
That's curious. 34.198.182.201 resolves to <amazon.com>.
My ISP is <cox.net>. <noip.com> provides me with my domain (<mlake.net>) and redirects port 80 to port 8080. I don't know what this has to do with <amazon.com>.
Not exactly. The IP is assigned to Amazon but resolves to an EC2 instance in AWS. That is one of their cloud computing offerings.
My guess is that is what no-ip's redirect service runs on. An Apache server replies
curl -i -m7 http://www.mlake.net
HTTP/1.1 301 Moved Permanently
Server: Apache
Location: http://70.180.27.77:8080
# And utterly fails with HTTPS
curl -i -m7 https://www.mlake.net
curl: (7) Failed to connect to www.mlake.net port 443 after 26 ms:
Connection refused
The Let's Encrypt HTTP Challenge does not support port 8080 so that can't be used.
If that's a no-ip service TLS-ALPN won't work either. You won't be able to setup their service to reply properly.
If you have control of port 443 you could change the DNS for www.mlake to be your public IP directly and do TLS-ALPN (mod_md or Caddy) there. This would eliminate no-ip involvement.
Or, to avoid all these HTTP(s) routing problems use the DNS Challenge as earlier suggested. At least you could get a cert. You'd still have to sort out HTTP(S) flows for whatever service you want to run.