Issue ACME Certificates with HTTP-01 or TLS-ALPN-01
Issue a trusted public certificate when the requested hostname reaches p2pstream on the required inbound validation port.
Use This When
Use HTTP-01 or TLS-ALPN-01 when public DNS points directly to p2pstream and inbound port 80 or 443 is available.
Prerequisites
| Challenge | Required public reachability |
|---|---|
| HTTP-01 | http://hostname/.well-known/acme-challenge/... reaches a p2pstream HTTP listener. |
| TLS-ALPN-01 | https://hostname:443 reaches a p2pstream HTTPS listener. |
Public DNS required
The hostname must be a publicly resolvable fully-qualified domain name. localhost, bare IP addresses, and internal-only names will cause the ACME challenge to fail — the Let's Encrypt servers cannot reach them to validate ownership. Wildcards (*.example.com) also cannot use these methods; use DNS-01 instead.
Steps
Open Proxy -> Listeners.
For HTTP-01, ensure an HTTP listener is enabled and running on container port
80.For TLS-ALPN-01, ensure an HTTPS listener is enabled and running on container port
443.Open TLS and add a certificate mapping:
Field Value Listener public-httpsHostname pattern app.example.comMethod HTTP-01orTLS-ALPNCA Let's Encrypt staging for testing, production when ready Email your ACME account email Enabled On 
The ACME mapping dialog ties the hostname pattern to an HTTPS listener and selects the HTTP-01 or TLS-ALPN-01 validation method and Let's Encrypt CA.
Verification
The certificate status should move from pending or renewing to ready.
Run:
curl -I https://app.example.comTroubleshooting
| Symptom | Check |
|---|---|
| Status stays error | Open TLS and read last_error. |
| HTTP-01 fails | DNS and firewall must send port 80 to the p2pstream HTTP listener. |
| TLS-ALPN-01 fails | DNS and firewall must send port 443 to the p2pstream HTTPS listener. |
| Wildcard rejected | Use DNS-01 with a Cloudflare DNS credential. |