Renewal using certonly subcommand

I created a certificate using the ‘certonly’ subcommand for another machine. I now need to renew the certificate, however, the authentication process fails because the target machine sits behind a router which has its own web server listening on port 80. This means that certbot can’t access the target machine.

Is it possible to specify a different port number for certbot to use for the challenge?

Here’s the log of the attempt to renew the certificate:


certbot-auto certonly -d --cert-path ~/certs/starlightproductions.crt
Requesting to rerun /usr/local/bin/certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.



Usually there is a way to re-assign the router’s web admin port from 80 to something else, which frees up 80 to be used by port forwarding.

1 Like

By the way, this is often bad OS reporting of different ICMP errors, such as “administratively prohibited” (from firewalls). I wish we had clearer socket-to-application reporting of these distinctions. nmap can seemingly see them and you can also see them with Wireshark. :shark:

(I agree with your interpretation, just complaining about the socket APIs!)

1 Like

And that is the case here—Wireshark confirms that this is ICMP type 3, code 13 (“Communication administratively prohibited”).

1 Like

That’s probably a good sign (the router denying ingress from the WAN side to its admin server) - as long as @pcameron60 can figure out how to move the router web server to another port, everything should just starting working.

Not really.

You can try use TLS-ALPN which uses port 443 instead, but it’s a bit of a pain and not supported by Certbot. is one that does support that mode, in case you do want to try it.

A third option is to try and use the DNS challenge. I see that your DDNS domain is operated by Dynu, so you might be able to use’s Dynu support to issue your certificate: . If you can get this to work, I would definitely recommend it over the TLS-ALPN option.

1 Like

Unfortunately, not in this case.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.