I am having trouble testing the renewal of certificate. I do not have any web server running so I am running this script to get my initial certificate.
Is having a different public IP of the VM from when I created the cert and to when I renew the cert okay? Since the current setup, the public IP is not set to static. So everytime I stop/start the VM different IP would be used.
That is not a problem as long as the DNS also points to the new IP. Does it?
And, to renew a cert you just use certbot renew and to test certbot renew --dry-run
The renew command reads all the config files in /etc/letsencrypt/renewal and renews them all using the same settings as when their certs were last successful. A cronjob or systemd timer was probably setup by Certbot to run a renew command regularly so these are done automatically.
Then, it will pause and show you the URL it is expected to see. Leave it paused and open another window or a device outside that network and try that URL
If you do it quick and post the URL here I may have time to check it from my network
A timeout error means the Let's Encrypt server cannot reach that domain name using HTTP to prove you control that domain. Usually a firewall but other things can cause that.
Please first show what certs you already have with output of this. Can you please copy/paste results into this forum? Very hard to read or work with images
I tried opening port 80, 443 to all IP. Then i retry certbot renew --dry-run it worked! However for production purposes, how can I whitelist the needed IP/DNS for the validation in the renewal?
Sorry, my mistake. It should have been --debug-challenges with two dashes not one. With just one dash it thought you were adding a second domain name of ebug-challenges. Was hard to read your pasted image but my fault for not testing the sample command.
But, glad you found the error.
Let's Encrypt does not publish a list of IP addresses. See the FAQ item about this and also what they recommend about port 80
Oops. Sorry I did not double check also the script lol. Idk about keeping port 80/443 open most of the time (Maybe I will just do this manually when cert is already up for renewal). However, since i do not have any webserver in this VM maybe it is okay? Spinning up a temp web server is usually just done on the renewal/creating cert right.