Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My web server is (include version):
Apache/2.4.52 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 22.04.1 LTS
My hosting provider, if applicable, is:
ME
I can login to a root shell on my machine (yes or no, or I don't know):
YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NO
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.32.1
Further Info :
Port 80 is disabled - I won't run a web server with it enabled - regardless of the "port 80 doesn't matter"
DNS is hosted by myself on different servers using Bind.
I am struggling to renew a cert without having to go onto the server and use
ufw allow 80
certbot renew
ufw delete ....
I can add a record to DNS - just not via API - why should I have to enable port 80 for the challenge response ?
Well, you need to pick one of the challenge types that Let's Encrypt supports for validating that you own the name. All of them require having some system & port which is open to the world (at least while the challenge is happening), so that Let's Encrypt can validate that you actually own the name as seen by everyone in the world.
For many people, it's easiest to use the port 80 HTTP-01 method. If you don't, that's fine, but that means you need to use TLS-ALPN-01 (if you have DNS & 443 available to the world) or DNS-01 (if you only have DNS available to the world). TLS-ALPN-01 requires a client that's more sophisticated than certbot, and DNS-01 requires (ideally) scripting the changes to the DNS provider.
Well, you can use the pre-hook and post-hook functionality in certbot to script these commands, so that the ports are only open when the renewal is running, if that's all you're looking for.