Required ports to run Let's Encrypt


I have all ports blocked on my server and can just unblock specific ones. Could you please tell me which ports should I unblock to get Let’s Encrypt work?

Best regards,

None if you can/want to use DNS-01 challenge, 80 if you want to use HTTP-01 challenge and 443 if you want to use TLS-SNI-01 challenge.

If you donʼt mind me asking, why do you want a certificate issued by a public CA if your server have all of its ports blocked?

I mean the server out ports to handle all communications with Let’s Encrypt servers, not the server in ports.
So I have all out traffic blocked on the server and just need to unblock ports for Let’s Encrypt.


The client software needs to make outbound connections to ports 80 and 443.

Depending on the client software in question, I think potentially only 443. All of the ACME protocol itself runs over HTTPS. Maybe 80 is also useful for features like OCSP stapling?

Clients do at least one or two DNS queries as well. So they need to be able to access whatever the system’s configured resolver is, presumably on port 53. (Are there OSes where the standard networking libraries can be configured to use a different port? Does anyone do it?)


I thought I saw some http:// calls in dehydrated, but I could be mistaken. Thanks for the clarification.

Bart doesn’t think about outgoing traffic

The thing is that there is some incoming traffic needed to install letsencrypt using Certbot. Company security policy blocks Internet connection. It can be unblocked but we need to specify IPs and port numbers to hosts that certbot needs to communicate with to successfully install and renew certificates.

Or alternatively - find a way to import certificates without internet connection, using csr or sth

Hi @lsabiiniok,

It sounds like you’re saying that you have a different situation in which you want to know what you need to allow for inbound connections in order to perform the validation.

As a matter of policy, Let’s Encrypt does not commit to using particular IP addresses for inbound validation connections, and may change or randomize these without any notice. Therefore, Let’s Encrypt-specific firewall rules are not supported.

You can use the DNS-01 challenge method to perform validations without allowing inbound connections. This involves making a requested change to your DNS zones, which some Let’s Encrypt clients can do automatically for some DNS providers. You can find out a lot more information about this method by searching on this forum.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.