Sorry for the duplicate. I can’t find a way to delete or edit the old one.
I’m really hoping that you can let me know if port 80 is required to be open for inbound, outbound or in and outbound traffic to renew a certificate.
I registered a certificate with the following command:
certbot certonly --standalone --agree-tos --email me@mydomain -d mycomain
I opened port 80 to inbound traffic to register the cert which worked without a problem. But I need to know if prot 80 is required for renewals.
I have searched through the documentation, read https://letsencrypt.org/docs/allow-port-80/ and https://letsencrypt.org/docs/allow-port-80/ but neither of these pages mention that port 80 is a requirement.
I am not using the cert for a webserver so there is no traffic on ports 80 during normal operation of the server.
All the testing I have done indicates that when I run:
certbot renew --dry-run
certbot renew --force-renewal
The renewal is taking place on outbound port 443. I opened a second terminal and ran:
tcpdump port 80 or port 443
And the only traffic that certbot generated was the following on port 443:
14:50:36.278229 IP myserver.33118 > 220.127.116.11.https: Flags [P.], seq 518:644, ack 3080, win 501, length 126
14:50:36.279444 IP 18.104.22.168.https > myserver.33118: Flags [.], ack 644, win 66, length 0
Furthermore, the only way I could get the renewal to fail was to block port outbound traffic on port 443. The renewal happened successfully when outbound port 80 was blocked.
Any help you with this would be greatly appreciated.