Is a new certificate required when/if my IP address changes?

My domain is: mymachine.twilightparadox.com
My web server is (include version): None
The operating system my system runs on is (include version): Debian 10.2
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site: no
The version of my client is: certbot 0.31.0
Is a new certificate required when/if my IP address changes?

1 Like

No, you can keep using the same certificate.

You can check to see if renewal will keep working with certbot renew --dry-run .

1 Like

Thank you. I am contemplating removing certbot from cron so I can continue blocking port 80 and running certbot manually, when I need to. Since the certificates last 90 days. Suggestions?

My suggestion would be to look over https://letsencrypt.org/docs/allow-port-80/ .

Blocking port 80 has numerous downsides and no upsides.

2 Likes

If you just don’t want your server to listen on port 80 most of the time (which is not what we recommend), you can use certbot --standalone instead of another authentication method. This will listen on port 80 for a few seconds during the renewal process, and not otherwise.

2 Likes

You can also use certbot’s --standalone flag with a --pre-hook and a --post-hook to alter how your system handles traffic. On one installation, I run certbot on a higher port (via --http-01-port) and use these hooks to reconfigure the web server to enable/disable port-80 traffic in the .well-known directory being proxy-passed to certbot.

1 Like

This sounds exactly like what I need! If I read your post correctly, this only affects the server itself?? That way I could leave the router alone and anything that might come through it would just get dumped in the bit bucket, correct?

Yes, the server will reject other incoming connections to port 80 at other times.

I’m very interested in both your suggestions. I like the idea of using a higher number port and forwarding it to 80 (I think that’s what you mean) each time for a few seconds. I also read the tech note about using tls. I already have tls set up and working on this server. That is why I needed the certificates in the first place. Which way is simplest? Can you steer me on how to set it up to use a higher numbered port? Do I just modify the certbot script in cron.d? TIA

yes. whatever invokes certbot on your system - in this case, cron - just update the certbot command to have something like --http-01-port 8080 to run certbot on 8080. if you want, you can also invoke a custom script with --pre-hook and --post-hook to start/stop your port80 server from sending traffic to port8080.

If you do that, don’t forget that you also need to make the publicly visible port 80 forward to port 8080 (via whatever kind of router or firewall is responsible for this). Let’s Encrypt will not itself perform the check on port 8080.

1 Like

Thank you both for your help. Astounding support for this software. Ticket may be closed. I have implemented version(s) of your suggestions as well as a couple of other things to tighten security on my server & system as much as possible and everything seems to be functioning together nicely.

1 Like