I was issued a fresh certificate after: sudo certbot renew --force-renew
That's fine except my server never received the http challenges I was expecting. I expected the challenges to fail as I had intentionally set my firewall to block challenges. I was testing my firewall adaptation strategy.
When I say my server never received the challenges it is because they did not show in my nginx access logs. I used my browser to look at the same acme-challenge url as in the letsencrypt log for the renewal and these attempts showed up in my nginx logs (as a 404 as expected at this stage). So, it is not a problem with my logging.
Should I have received the challenges with a --force-renew? There is nothing in the docs to indicate a --force also bypasses challenges.
Please use the staging environment for testing. You're wasting valuable and costly resources by using --force-renewal, especially if you don't know what you're actually doing due to lack of understanding/information.
The following is actually not documented properly I see, but if you use the --dry-run option, which uses the staging environment to test things out (which isdocumented), such as renewal, current certbot versions ensure that it'll always use new validation authorizations, so that every time --dry-run is used, it'll try to validate every hostname again. And that last part isn't documented unfortunately..
Thanks. I did use the staging environ for Certbot testing. I also unit-tested my firewall hook routines. I did the above explicitly to test what happens to the live system if the challenge fails. Test systems do not always behave the same - as you duly note. I wanted to see what kind of notifications would occur for such a case - or whether I needed to develop some (among a few other things).
Great! I'm sorry if I was a little bit harsh on you, the command you showed didn't include any mentioning of the staging environment.
Also, please note that using --dry-run leads to different certbot behaviour compared to using --staging or the staging API URI as --server value. This is due to the specific behaviour of always using "fresh" authorizations in stead of cached ones of --dry-run whereas this behaviour isn't applied for --staging or using the staging URI through other means.