When attempting to use Certbot with Let's Encrypt on ports other than 443, many developers encounter the TLS-SNI-01 challenge failure. The root issue stems from Let's Encrypt's default assumption that your web server listens on port 443 for HTTPS traffic.
The common approach of using --tls-sni-01-port often fails because:
1. Certbot still tries to validate through port 443 first
2. Some Apache/Nginx configurations don't properly redirect the challenge
3. Firewall rules might block the non-standard portOption 1: Temporary Port Forwarding
This method works well when you have control over your network configuration:
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port YOUR_CUSTOM_PORT
certbot --apache -d your.domain.com
sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port YOUR_CUSTOM_PORTOption 2: DNS-Based Validation (Recommended)
The most reliable approach is to use DNS-01 challenges instead of TLS-SNI:
certbot certonly --manual --preferred-challenges dns -d your.domain.comThis requires you to add a TXT record to your DNS, but works regardless of your web server's port configuration.
Option 3: Standalone Mode with Custom Port
For advanced users running non-standard setups:
certbot certonly --standalone --tls-sni-01-port YOUR_PORT -d your.domain.comNote: You must stop your web server temporarily during this process.
1. Verify your custom port is open in firewall rules:
sudo ufw allow YOUR_PORT/tcp2. For production environments, consider automating DNS challenges with hooks:
certbot certonly --manual --preferred-challenges dns \
--manual-auth-hook /path/to/dns/authenticator.sh \
--manual-cleanup-hook /path/to/dns/cleanup.sh \
-d your.domain.comAfter obtaining your certificate, ensure your web server config points to the correct files:
SSLCertificateFile /etc/letsencrypt/live/your.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your.domain.com/privkey.pemWhen working with Let's Encrypt's ACME protocol, you'll encounter a common roadblock if your web service isn't running on port 443. The default validation methods (tls-sni-01, http-01) assume standard ports:
# Typical error you'll see:
# Failed authorization procedure. domain.com (tls-sni-01):
# The server could not connect to the client to verify the domain
# Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge
The fundamental challenge stems from how Let's Encrypt's validation servers attempt to verify domain control:
- For HTTP-01: Tries port 80 by default
- For TLS-SNI-01: Tries port 443 by default
- For DNS-01: Doesn't require open ports
Option 1: Use DNS-01 Challenge (Recommended)
This method completely bypasses port requirements by verifying through DNS records:
certbot certonly --manual --preferred-challenges dns \
-d example.com \
--server https://acme-v02.api.letsencrypt.org/directory
Option 2: Temporary Port Forwarding
If DNS validation isn't possible, create a temporary redirect:
# Using iptables for temporary redirection
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 14831
certbot --apache -d example.com
iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 14831
The --tls-sni-01-port parameter only changes where your server listens, not what port Let's Encrypt's validation servers use to connect. This explains why your attempt with port 14831 failed.
Consider these additional approaches:
# 1. HTTP-01 with custom port (requires webroot)
certbot certonly --webroot -w /var/www/html --http-01-port 8080 -d example.com
# 2. Standalone mode with custom port
certbot certonly --standalone --preferred-challenges http --http-01-port 8080 -d example.com
For production environments, we strongly recommend:
- Implementing DNS-01 validation with automated hooks
- Setting up proper port forwarding rules if you must use HTTP/TLS validation
- Considering reverse proxy configurations that expose standard ports