Apache + OpenVPN 共享端口与 Let's Encrypt 的 Certbot 冲突

我使用 Apache 托管一些文件供所有人查看，并使用 HTTPS 保护这些文件。我还有一个 OpenVPN 主机。由于某些网络会阻止出站端口（如 1194），因此我使用port-shareOpenVPN 中的功能让 HTTP 流量通过 OpenVPN 路由到 Apache。通过这样做，我仍然可以在端口 443 上托管我的网站，同时通过（几乎）始终开放的端口 443 连接到 VPN。

Apache 只是将其 HTTPS 端口更改为端口 4443，OpenVPN 将自行决定哪些流量从 443 发送到 4443。

但是，我的 Apache 服务器使用 Let's Encrypt 证书和 Certbot 进行自动续订。据我所知，此端口共享导致了一些问题，并且 Certbot 无法正确自动续订。如果它在端口共享时尝试，它会吐出此错误：

Attempting to renew cert (maxattax.com) from /etc/letsencrypt/renewal/maxattax.com.conf produced an unexpected error: Failed authorization procedure. maxattax.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data, www.maxattax.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.

如果我更改配置，使 Apache 在端口 443 而不是 4443 上运行，并关闭 OpenVPN，Certbot 就可以再次更新。

我的问题是：如何让 OpenVPN 保持在端口 443 上，让 Apache HTTPS 保持在端口 443 上，并且仍允许 Certbot 自动续订？

相关部分/etc/openvpn/server.conf：

port 443
proto tcp
port-share localhost 4443

内容/etc/apache2/ports.conf：

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

# Modified to port 4443 for OpenVPN passthrough
<IfModule ssl_module>
        Listen 4443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 4443
</IfModule>

内容/etc/apache2/sites-enabled/000-default-le-ssl.conf：

<IfModule mod_ssl.c>
<VirtualHost *:4443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

        #SSLCertificateFile /etc/letsencrypt/live/maxattax.com/fullchain.pem
        #SSLCertificateKeyFile /etc/letsencrypt/live/maxattax.com/privkey.pem

        SSLCertificateKeyFile /etc/letsencrypt/live/maxattax.com/privkey.pem
        SSLCertificateFile /etc/letsencrypt/live/maxattax.com/cert.pem
        SSLCertificateChainFile /etc/letsencrypt/live/maxattax.com/fullchain.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        ServerName maxattax.com
        ServerAlias www.maxattax.com
</VirtualHost>
</IfModule>

PS：maxattax.com这不是我的真实域名