Renew certificate without ports 80 or 443

I'm running an NTS/NTP server beside a web server on a separate machine; upon initial installation, I re-routed ports 80 and 443 to the NTS server, but this is cumbersome for renewal as they are hardwired to the machine running the web server.
How could I automatically renew my certificates through other ports or means? – Alternatively, I could use ports 80 and/or 443 but only via IPv6…
Thanks for your help!

1 Like

Welcome to the community! You are lucky since the default is IPv6 for the HTTP-01 challenge. It is enough if you run the web server on IPv6 only for issuing the certificate.


You can. That breaks validation on your webserver, though.

You can also:

  • use the same certificate you use on the webserver, maybe use a script to push it on the second server.
  • configure the webserver to proxy requests for .well-known/acme-challenge (but that becomes a problem because they both need it, unless they use different hostnames and you can use SNI/VirtualHosts)
  • configure the acme client on the NTS server to use a webroot on the webserver (shared via your internal network and mounted locally -- or not, depending on the client)
  • use the dns-01 challenge.

Thank you, and that's very helpful! – I've opened the ports 80 and 443 (just in case) for IPv6 and --dry-run works flawlessly, excellent!

Now I would like to further restrict the IPs allowed to connect to those ports; which should I choose?

1 Like

Let's Encrypt purposely does not publish the IP addresses their validations originate from. See: FAQ - Let's Encrypt


Thanks; guess I found a suitable alternative: I've set up URL forwarding at my dynamic DNS provider which should redirect all incoming traffic on port 80 except when a renewal/challenge is started internally. – Looks like it works as expected…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.