On Oracle Cloud I have a load balancer listening on port 443 which routes requests to a backend set to port X which routes requests to a dockerized nginx on port 443. For me to make letsencrypt work I have to change loadbalancer listener port from 443 to 80 and change my backend port X to Y, the one that routes requests to dockerized nginx port 80 and also edit nginx config and comment out LISTEN 443 and ssl_certificate related information. (Then I have to change all this back for the app to work again.)
I have do to this manually. Do you have any suggestions how could I automate the certificate renewal? What things should I change?
I've renewed certs like this a couple of times manually but it is tedious. I could write a script that does all this for me, but I'm hoping I can get a better solution here.
Why do you need to change anything to begin with? Usually, both port 443 and port 80 is open. You'd also need that for HTTP to HTTPS requests for example.
I'm using certbot which as far as I know only works on port 80, used to work on 443 but not anymore. But my information may not be correct. The problem is (I think) that certbot communication would happen on 80 and then converted to 443 https because of the loadbalancer which in turn would give an error for certbot. But I may be completely wrong. (When I first tried setting it up this is what stayed in my mind: "certbot does not work on 443 and i route everything on 443". )
MikeMcQ: thanks for the suggestion, I'll look into that as well.
That's not Certbot, that's the ACME validation server from Let's Encrypt, a completely distinct thing from Certbot (which is the ACME client). Please review how ACME works.
Certbot can perform the http-01 and dns-01 challenges, depending on which authenticator is chosen. The http-01 challenge always starts with, well, HTTP (on port 80), but allows redirects from HTTP to HTTPS (see also Challenge Types - Let's Encrypt).
In any case, I stand by my previous point: you should not have to open port 80 or change it, because both port 80 and port 443 are usually open to begin with. See also: Best Practice - Keep Port 80 Open - Let's Encrypt.
Depending on how your setup is exactly and how you're using Certbot, it should be just fine to have a HTTP to HTTPS redirect without any change what so ever.