Thanks, Jurgen. Please request an update to these instructions by @bmw:
which states:
- Do a full renewal dry run:
sudo certbot renew --dry-runIf the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go! No further action should be required to deal with the end of TLS-SNI-01 support.
The dry run returned a success even with the webserver-stopping pre-hook enabled, but the actual renewal failed. Therefore, stating "If the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go" is inaccurate.
Regardless of those instructions, why does the dry run succeed with the pre-hook enabled? The certbot documentation states:
For advanced certificate management tasks, it is possible to manually modify the certificate’s renewal configuration file, but this is discouraged since it can easily break Certbot’s ability to renew your certificates. If you choose to modify the renewal configuration file we advise you to test its validity with the
certbot renew --dry-runcommand.
The --help-all output regarding --dry-run states:
It also calls --pre-hook and --post-hook commands if they are defined because they may be necessary to accurately simulate renewal.
These statements do not seem to reflect reality. If a pre-hook stopping the server is causing renewal to fail, I would expect consistent failures when running with and without --dry-run.