What ports do i need opened to get a SSL cert

hi all,

on my firewall i have opened from my lets encrypt server 443 outbound to any external ip (as lets encrypt says it doesnt just use 1 ip address and it uses sometimes different ones)

also i have done a port forward from any external ip inbound 443 to my lets encrypt server

this connects to the service but it cant give me a SSL cert (see below) -

certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): sftp.molinare.co.uk
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for sftp.molinare.co.uk

We were unable to find a vhost with a ServerName or Address of sftp.molinare.co.uk.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)

1: ssl.conf | | HTTPS | Enabled

Press 1 [enter] to confirm the selection (press ‘c’ to cancel): 1
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. sftp.molinare.co.uk (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

from an external ip if i connect to “sftp.molinare.co.uk” i get my web server apache test page

can anyone help, many thanks,


From my connection, I cannot ping sftp.molinare.co.uk, telnet to port 80/443 does not work either.

ok i will contact our firewall ISP and get them to do that as i thought they did it

its my sftp server aswell so port 22 works when i telnet into it from an external ip

ha funny…

it was because our ISP who look after our firewall didnt NAT port 443 to my server for it to resolve my public dns name and also need port 443 outbound from server to internet

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.