SSL Letsencrypt behind NAT and on different port than 443


Hello I have web server behind NAT, this server has only https (no http). I have only one port - 444, which is visible from internet (on router is set port forwarding from 444 external to 443 internal), DNS is set, that A record is public IP address of router. Then I need letsencrypt certificate, but validation does not work (fail to connection)

I try: letsencrypt certonly -a manual -d --http-01-port 444 --test-cert

Outout is:
Saving debug log to /var/log/letsencrypt/letsencrypt.log │
│ Starting new HTTPS connection (1):
│ Obtaining a new certificate │
│ Performing the following challenges: │
│ http-01 challenge for
│ Using non-standard port for http-01 verification: 444 │
│ Starting new HTTP connection (1):

Output is:
Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to


  • The following errors were reported by the server:

    Type: connection
    Detail: Could not connect to

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My domain is:

My operating system is (include version): Debian 8

My web server is (include version): Apache 2.4


No, that isn’t your domain, that’s your URL, which is something completely different.

Let’s Encrypt needs to confirm that you own and control each hostname for which you’re seeking a certificate. It supports three ways of doing that:

  • The HTTP-01 challenge requires that the public Internet be able to connect to http://:80$HOSTNAME, for each $HOSTNAME you request a cert for. The --http-01-port flag will let certbot listen on a different port, in case you have port forwarding, a reverse proxy, or some other such thing going on, but the Let’s Encrypt servers must still be able to connect via port 80.
  • The TLS-SNI challenge requires that the public Internet be able to connect to port 443 on $HOSTNAME. As above, you can specify that certbot listen on a different port, but the Let’s Encrypt servers will connect to port 443.
  • The DNS-01 challenge requires that you be able to add TXT DNS records for each requested hostname, ideally through an API or some automated mechanism.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.