--manual is an alternative to
--apache; you should replace
If you don’t have a DNS provider API, this method isn’t that great because it’s truly “manual”: you’ll have to interactively repeat it every time you want to renew the certificate.
If you intend to allow the challenge on port 80, you shouldn’t specify
--http-01-port 40443. (The
--http-01-port options doesn’t let you choose the external port, which is required to be 80; it only lets you choose the internal port in case you have a firewall that forwards a port to a different port number, e.g. forwarding public port 80 to an internal host’s port 8080 or something. So the only reason to use
--http-01-port 40443 is if you have a firewall forwarding the externally-visible port 80 to port 40443 of this host.)
If you want to use a Let’s Encrypt certificate (once it’s obtained) with a port other than 443, Certbot’s automated installer might not be the right choice because it probably won’t understand which virtual host is relevant or appropriate to create or edit. HTTPS on port 443 is a very strong default and also the only default that Certbot understands when trying to install the certificate for you. There are certainly reasons to run HTTPS on other ports, but Certbot won’t normally understand when you’re trying to do this; in this case you can run
certbot certonly and then edit your web server configuration manually after the certificate issuance succeeds.