Is it possible to do the challenge using another port? I read here that you can't replace port 80, but using an "alternative let's encrypt client" you can? (not clear at all)
I have one server in this network where the administrator is unable, or unwilling to do a port forward on port 80, but had no problem with 443. Any ideas?
As told in the Certbot FAQ:
Yes, using the DNS-01 or TLS-ALPN-01 challenge. However, Certbot does not include support for TLS-ALPN-01 yet. If you're using any Certbot with any method other than DNS authentication, your web server must listen on port 80, or at least be capable of doing so temporarily during certificate validation.
Therefore, you only have two options with Certbot:
Redirect from http://example.com:80/ to https://example.com:443/.
Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443.
Use the DNS-01 challenge, instead. However...
Since automation of issuance and renewals is really important, it only makes sense to use DNS-01 challenges if your DNS provider has an API you can use to automate updates.
Yes, by using clients other than Certbot, you can do that using tls-alpn-01 challenge (as pointed above).
One alternative client which supports this is acme.sh. As you see in the description there, it is designed exactly to solve the problem you are facing.
Another "alternative client" which supports this challenge is built into the Caddy server.
