Using NAT and changing the port

When using NAT to my server, from which IP addresses is the connection coming from? Is it possible to change the port of certbot from 80 to another? I just don't want to open port 80 for everyone. Do I understand correctly that I should then use WEBROOT ?

Still the Let's Encrypt IP address(es). NAT (usually) changes the destination IP address from the public IP address to the local private IP address. But it keeps the source address the same.

Yes, that's possible. But note that the Let's Encrypt validation server will always connect to port 80. However, if you use NAT to, for example, portmap external port 80 to internal port 8080, you could run Certbot on port 8080.

There is no reason to close port 80 and keep port 443 (for HTTPS) open. Any attack vector on port 80 would also work on port 443.

Multiple authenticator plugins are capable of the http-01 challenge, not only the webroot plugin.


My Web applications only work within the local network and through VPN, so I don't want to do NAT.

Do I understand correctly that I need to stop the Nginx service each time to renew the certificates?

I would like to know the list of IP addresses so that I can only NAT those addresses.

No, that's not necessary. Certbot can also use a existing webserver, such as nginx. (By using the nginx plugin or the webroot plugin.) But you asked specifically if Certbot could listen on a different port than 80, so the answer would be "yes" to that specific question.

No such list is available and no such list will be available. See also: FAQ - Let's Encrypt


Tell me how you can update certificates without stopping Nginx.

See the Certbot website:

1 Like

If these are "private" servers, you may find using the DNS-01 challenge more suitable, as then only the DNS server needs to be exposed to the world rather than also exposing the web server. The only tricky part that that you need to automate the proper response to the DNS challenge, either through using a DNS server that supports an API (and a plugin for your ACME client to use it), or through something like acme-dns or agnos.


Several ways:

  • NAT external IP port 80 to internal IP port ##### [some unused port]
    run certbot in --standalone mode and have it listen on port #####
    [zero conflict with any existing web service(s) (running on any other ports)]
  • Use --webroot
    Presuming your nginx has an HTTP listener that can respond to http://external-IP:80/
  • Use DNS-01 authentication
    This "works" without using an HTTP service.
    [more complicated than HTTP authentication and not all DSPs support the required DNS updates via API]
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.