Renewal - do I need ports 80 and/or 443 to open?

My domain is: vps300.arconsult.hu
I ran this command: certbot renew --dry-run
My web server is (include version): Apache 2.4.25
The operating system my web server runs on is (include version): Debian 9.13

I am running my https site on port on port 9005, not 443.
Neither port 80 nor port 443 are open.
Dryrun completes fine without error.

Newbie Question: do I need to open port 443 and/or 80 for renewal?
Thanks for reply
Peter

Hi @petardo

that's only possible if you use dns validation.

See

If you want to use http validation, port 80 is required. If you have a redirect http -> https and if you use webroot, port 443 too. So there is no general answer possible.

Thanks for reply.
According to the link you have given I was looking for the '.well-known' folder.
First I was searching on the server where the DNS A record of 'vps300.arconsult.hu' - is pointing to. and I did not find it.
Secondly I was searching for it on the main webserver where the A record arconsult.hu is pointing to - and I found it there.
This means to me that for renewal not the 'vps300.arconsult.hu' but the 'arconsult.hu' is contacted (despite the fact that the certificate contains the name 'vps300.arconsult.hu' and not 'arconsult.hu').
So the port 80 should be open on the arconsult.hu and not the vps300.arconsult.hu. Am I right?

Your conclusion is wrong, but I don't know the reason.

If you want to create a certificate with vps300.arconsult.hu, always

http://vps300.arconsult.hu/.well-known/acme-challenge/random-filename

is checked, nothing else. That url doesn't answer.

But

• you may have used dns validation
• you may have used --standalone
• you may have started your webserver
• you may have a redirect subdomain -> main domain
• you may not have a vHost with that domain name, so the main domain vHost / default vHost is used

A lot of reasons why you think, the main domain is checked.

Well, I was simply doing according to Let's Encrypt SSL on Debian 9 running Apache web server - Snel.com :

• apt-get install certbot
• certbot --apache
  And it worked.
  And I found a /public_html/.well-known/acme-challenge/ empty directory on the main domain's webpage with today's date - that's why I thought so.
  But to tell the trues I don't remember the questions and answers I have given while doing 'cerbot --apache, may be there I could select validation type, I don't remember. May be I should repeat the whole process and it will turn out.

My vhost config:

<IfModule mod_ssl.c>
	<VirtualHost *:9005>
		ServerName vps300.arconsult.hu
		ServerAlias *
		DocumentRoot "/var/www/html/webadmin"
...
		SSLCertificateFile /etc/letsencrypt/live/vps300.arconsult.hu/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/vps300.arconsult.hu/privkey.pem
		Include /etc/letsencrypt/options-ssl-apache.conf
	</virtualhost>
</IfModule>

I have redone the whole installation.
Nowhere was asked which kind of validation to do.
No http://vps300.arconsult.hu/.well-known/acme-challenge/random-filename file!
The site works!
Here is the certbot --apache command output:
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/vps300.arconsult.hu.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://vps300.arconsult.hu

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=vps300.arconsult.hu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/vps300.arconsult.hu/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/vps300.arconsult.hu/privkey.pem
   Your cert will expire on 2021-05-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now your port 443 answers.

But you didn't renew the certificate, you have only installed the existing certificate.

And your port 80 is blocked via a firewall -> so renew will not work.

-->> Create a working port 80 vHost with that domain name.

--apache requires an open port 80.

Ok. But my it be redirected to https?
And still no http://vps300.arconsult.hu/.well-known/acme-challenge/random-filename
So what will be letsencrypt looking for? I don't understend.

ps.- When port 80 is closed but needed, why does dryrun runs successfully without error? One would think that dryrun mirrors the real renewing situation.

It's possible to edit the config file directly, without creating a file.

I don't know. Add a working port 80 vHost and open the firewall.

I still don't understand how it works. I'll try to google further to have it understand. Anyway, thanks for your efforts.

Note, possibly not related to this thread, but might be: depending on the version of certbot, it could be cached valid authorizations. I believe it's since a specific version, certbot invalidates cached authz in staging with --dry-run. In versions prior to that, --dry-run can perfectly work fine without a working situation. And as OP is running Debian....

Didn't use dns validation.
Certbot the latest.

That doesn't say much. If you're using Debians repository, it can be quite ancient. Is there a particular reason why you've removed those last questions from the questionnaire?

"Performing the following challenges:
http-01 challenge for vps300.arconsult.hu
Waiting for verification...
Cleaning up challenges"...

Cleaning up: might it mean, it was written there - then deleted?

Yes.   

And at renewal - it will be re-written - re-checked and re- deleted?

If there isn't a cached valid authorization present @ Let's Encrypt: yes.

Then at last everything clear
Thank you both