I’m trying to test how we are deploying and renewing LE certs and I’m getting a bit thrown by the behaviour of the setup at a certain point.
During initial request, we’re using standalone mode as our deployment setup won’t be expecting a web server to be installed and/or configured.
For renewal, we will have installed and configured Apache to use the LE certs, so we’re using the webroot plugin.
What is throwing me, though, is that neither the Apache logs nor tcpdump are showing any traffic on port 80 during a renewal of the cert. For testing purposes, I’m using the staging instance and forcing renewal. Here is the command and the output generated:
/opt/certbot-auto --staging renew --post-hook "service apache2 reload" --webroot -w /tmp/acme-challenge --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.domain.com.conf
-------------------------------------------------------------------------------
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.domain.com
Using the webroot path /tmp/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.domain.com/fullchain.pem
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.domain.com/fullchain.pem (success)
Running post-hook command: service apache2 reload
I’ve even blocked incoming port 443 and port 80 traffic and the renewal still succeeds.
What am I misunderstanding here?
Thanks.