I noticed certbot requires that port 80 be open for renewal and you cannot specify another port like 8000.
So, on my service, port 80 is reserved - fortunately for a bunch of services I don’t use, but my device REALLY doesn’t like me over-riding port 80 for pass through. I cannot over-ride port 22 (SSH) at all.
It would be nice if for RENEWAL it could use the HTTPS port (443) - using the old certificate - and for new sign up, we could specify an arbitrary port. Heck, even for sign up, it should be able to use port 443 with an expired certificate or even a temporary self signed one. I assume you guys are using wget to retrieve the temporary file that proves we have access to the website.
I’m using Apache and KDE Neon (basically Ubuntu) if it matters.