You can (obviously) go for the manual installation or use DNS auth if you can easily access your DNS server. But, if you have a very simple setup, like a server being behind a NAT and running on a different port, the standard way of using certbot no longer works.

I found the following setup to be working:

• Set up a port forward for port 443 in your NAT. Since your server does not use this port, this will not do anything, yet.
• Install certbot according to their tutorial
• Now you would normally do

  $ ./path/to/certbot-auto --apache

  But this won’t work because you are using a different port.

• Instead do a manual authentiation with

  ./certbot-auto certonly --standalone

• Follow the instructions to obtain the certificate.
• Next, you can install the certificate yourself, or be lazy and use certbot’s installer for apache. Since you want it only to do the install (and not the authentication again) you have to call it like this:

  ./certbot-auto install --apache --cert-path /etc/letsencrypt/live/<your-domain>/fullchain.pem --key-path /etc/letsencrypt/live/<your-domain>/privkey.pem --chain-path /etc/letsencrypt/live/<your-domain>/fullchain.pem -d <your-domain>

• Adapt the paths accordingly to what the –standalone run of certbot told you.

#!/bin/bash

cat /var/lib/arpwatch/arp.dat | grep $1 |  awk  '{$3=strftime("%Y-%m-%d %H:%M:%S", $3);printf "%-20s %-20s %s %s\n",$1,$2,$3,$4}'