omg that sounds annoying, didn't know that ;) since I did the internal CA thing to save time and now I already pay for a VPS instance, that pain is out of question ;)
The VPS firewall has 80, 8080, 443 and 2022 open, backend is a default LTS ubuntu without iptables, all the other ports (80, 8080, 2022) work without intervention (and the cloud c2 web interface works via browser, just the crab can't connect due to the tls: unknown certificate error)