Let’s me describe my situation:
I have an internal site for my team; which using Azure Cloud which using Azure sub domain (*.cloudapp.azure.com). So I think that I can not use DNS-01 challenge.
It is running Ubuntu 16.04 with nginx.
It doesn’t open any ports to the internet. But I can open it for a while to finish the domain challenge with tls-sni-01 (for nginx using).
-> I found out that I can force renew the certificate success without opening the 443 port (force renew for testing purpose the following day after issuing the certificate). But I think it’s success because of the domain authorization is cached as describe in FAQ.
So my question is: Is it necessary to open 443 port when running this renew command
certbot renew. I think it won’t work because it needs to challenge the domain again; please confirm it because I could not find any mentioned documents.