certbot-auto renew --standalone --dry-run completes without any errors. All of the certificates have been renewed recently, so none to be renewed.
Does the above running without errors, even when renewals are not required, indicate that my server has the required verification setup correctly? I have both ports 443, 80 closed in the router to the server processor where the script is running. I do not have any special dns txt records related to letsencrypt I know of.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for pqr.neroth.org
Waiting for verification…
Cleaning up challenges
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/pqr.neroth.org/fullchain.pem
My guess is that when there are valid certificates, which are not due for renewal, those certificates can be validated without using the ports 443 or 80. Only for renewal, the port is needed for site verification.
Any comments?
I had seen somewhere here a post in the recent past 6 months or so saying that 443 is no longer used and 80 is really needed. Can anybody verify this, please?
For the port, is TCP alone sufficient? Or UDP also needed?
What can happen is that if your Let's Encrypt account successfully completed a validation for a domain within the past 30 days, that success is cached during further attempts. So you can get just the appearance of success.
But as long as your Certbot is 0.28 or higher, the dry-run does not actively complain about TLS-SNI being used and you have port 80 open, you should be all set.
az, I think that is what is happening for me now. I will have to wait 30+ days to check it.
Is there a way to force renew one subdomain only with certbot-auto? What is the command? BTW, I do not have certbot installed, only certbot-auto. Thank you.
_az, Thank you. Since my certificate is currently valid, the command you gave creates a duplicate? Does the new one replace my old one, and practically I would not see any side effects going forward, other than the new one will have an expiry of a few days later? My next auto renewal of all the subdomains would work just as before (if I had not made this dup}. Thanks
Now the plot thickens. I ran it without the -dru-run–. And it actually succeeded. I checked the status, and in fact that subdomain as a renewal as of now.
So what gives? What is the debug link to check if for some reason I have a dns record I had forgotten about?
Please not: --dry-run uses the staging servers which are forcing only HTTP renewals TODAY.
Without it you use regular production servers which are NOT yet forcing HTTP renewals.
Disclaimer: Mileage may vary. Does not cover all conditions and all situations (like: cached domain authentications). See LOGS for full details.
LOL
_az, I see 3 of that form in the log of the single subdomain renewal yesterday. But I do not know how to figure out how the verification was done.
There are posts to the above website with ports :443 and one default (no colon).
Are the ports 80, 443 used simply to post from my server processor to the outside or for reaching my created standalone server from outside. If the former, there are no restriction on outgoing ports. But incoming on those ports are not open in the router…