my server is accessible through HTTPS from the internet using a letsencrypt certificate and everything is running fine. My “problem” is, that I can renew my certificate, even port 80 of the internet-facing router interface is not listening.
Let me at first explain how I obtained the certificate in the first place:
My server is behind a router doing NAT; the setup is as follows:
Served by HTTP-daemon 1:
- External port 27950 is forwarded to port 80 of my server in the LAN.
- External Port 27951 is forwarded to port 443 of my server in the LAN.
Served by HTTP-daemon 2:
- External Port 80 is forwarded to port 8080 of my server in the LAN. This daemon is running only for a few seconds to obtain the certificate using
certbot certonly --webroot. After obtaining the certificate, the daemon is shut down and the other HTTP-daemon described above is reconfigured to make use of the certificate.
And here’s the thing: When I run
certbot renew --force-renew the certificate successfully gets renewed, ALTOUGH, at this time, only HTTPd #1 is running. HTTPd #2, the one which listens on port 80 of the internet-facing interface, is NOT running.
I have found this post, which explains why renewal works without being accessible from the internet: Understanding certbot renew
However, it says
If you renew your cert during those 30 days there is no need to revalidate you domain but it doesn’t extend the validated authorization.
which is not true in my case. The images attached show, that in my case, the certificates expiration date clearly gets adjusted as well. So this post is not a sufficient explanation to the behaviour I witness.
Edit: Okay, new users can only upload one picture… So I can not show you a before-after-comparison. I guess you have to rely on my words.