I am trying to setup certbot with apache and did it successfully, I got a cert and everything works fine with it.
After that, I removed the virtual host section for port 80. And closed that port on the firewall.
When I do a dry-run: $ certbot renew --dry-run
I get “Unable to find a virtual host listening on port 80”, which is correct, since there is none.
When I add a virtual host, dry-run runs without errors.
When I do a “$ certbot --apache -d my.domain” I get a new cert.
BUT: Port 80 is blocked by the firewall all the time. I cannot connect to it from outside.
So I do not understand, why certbot complains about the missing virtual host for port 80 when a connection to this port is not needed for a renewal.