Is there a simple way for me to get a warning (some configurable period of time) before certbot goes to renew my certs, so I can open port 80 to the world? Im not afraid of bash scripts or cron etc.
I am really getting hammered by baddies out there trying to get into my site, and leaving port 80 open results in all sorts of attempts to run scripts on it. I would like to leave port 80 closed except when required to be open to support cert renewal. I have had letsencrypt certs on my sites for some time, and renewal works fine, but my logs are full of script kiddie attempts that I would like to block.
Aside: I do not understand why certbot cannot run on 443 if the existing cert is still good (ie prior to expiration). From my perspective as a peasant in the trenches trying to survive, it just seems like port 80 thing is a huge risk.
Well, if you can script the firewall rule changes, then you can use certbot's --pre-hook & --post-hook to configure a script to open and close your ports automatically.
The standard recommendation is to keep port 80 open to everyone, and it generally shouldn't be any less secure than keeping 443 open to everyone.
If you really just want to use 443 for everything, you can change to using TLS-ALPN-01 instead, though you'd also need to change ACME clients as Certbot doesn't support it. Or, if you don't have 443 open to world (like it's for some internal server), or if you find it easier, you can switch to DNS-01 challenges instead. This involves either scripting changes to your DNS (Certbot has plugins already for many popular DNS hosters) or having your DNS delegated to something like acme-dns.
There is also mod_md for Apache which apparently can do it instead of certbot
And lastly with certbot it's important to keep in mind this issue ONLY affects auto-renewals into apache and ngix. lighthttpd apparently works with certbot, and manual renewals work with TLS-ALPN-01 (or are supposed to) I use manual renewals as I use certs on things that can't run certbot or don't have port 80 forwarded to them, I renew all of my certs for all my devices on a single host then distribute the updated certs via rcp and ftp and so on, on the internal network.
Of course the other option is to quit using vi to look at your apache logs and use an interface that filters out the junk. Or you can write your own script to monitor your
apache logs for errors.