When renew dry-run-- works, verification working?


certbot-auto renew --standalone --dry-run completes without any errors. All of the certificates have been renewed recently, so none to be renewed.

Does the above running without errors, even when renewals are not required, indicate that my server has the required verification setup correctly? I have both ports 443, 80 closed in the router to the server processor where the script is running. I do not have any special dns txt records related to letsencrypt I know of.

So how is the above verification working?


As you note yourself, these two statements are not compatible. --standalone requires one of 80 or 443 to be open, to have any chance of succeeding.

It might be caused by a cached authorization.

If you can share your domain name and also your certificate renewal parameters from /etc/letsencrypt/renewal/, we can advise further on it.


Thank you.

To check for caching, I rebooted the server processor. Here is one of the ok outputs

Processing /etc/letsencrypt/renewal/pqr.neroth.org.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for pqr.neroth.org
Waiting for verification…
Cleaning up challenges

new certificate deployed without reload, fullchain is

So, what am I doing wrong?


I believe the caching happens at LE (not in your system).

Does is end with “Congratulations” ?
Or does it contain “fail” anywhere ? ?


I ran it again 4-5 hours later, same success.

Yes, it ends with Congratulations…

Congratulations, all renewals succeeded. The following certs have been renewed:


I think you are good to go :slight_smile:


My guess is that when there are valid certificates, which are not due for renewal, those certificates can be validated without using the ports 443 or 80. Only for renewal, the port is needed for site verification.

Any comments?

  1. I had seen somewhere here a post in the recent past 6 months or so saying that 443 is no longer used and 80 is really needed. Can anybody verify this, please?

  2. For the port, is TCP alone sufficient? Or UDP also needed?

Thank you for the help!


What can happen is that if your Let’s Encrypt account successfully completed a validation for a domain within the past 30 days, that success is cached during further attempts. So you can get just the appearance of success.

But as long as your Certbot is 0.28 or higher, the dry-run does not actively complain about TLS-SNI being used and you have port 80 open, you should be all set.

Yes, it’s true: How to stop using TLS-SNI-01 with Certbot

Just tcp/80 is needed.


az, I think that is what is happening for me now. I will have to wait 30+ days to check it.

Is there a way to force renew one subdomain only with certbot-auto? What is the command? BTW, I do not have certbot installed, only certbot-auto. Thank you.


Well, you could do something like:

certbot-auto renew --cert-name pqr.neroth.org --force-renewal

but be very careful, as if you create too many duplicate certificates, you may get locked out from doing it again for 7 days.


_az, Thank you. Since my certificate is currently valid, the command you gave creates a duplicate? Does the new one replace my old one, and practically I would not see any side effects going forward, other than the new one will have an expiry of a few days later? My next auto renewal of all the subdomains would work just as before (if I had not made this dup}. Thanks


Yes, that’s correct.


Hmmm… I ran it with a dry-run-- . To my surprise, it went thru, Congratulations and all. But I do not have port 80 open, at least so I think.

Could you check if my port 80 is open on that subdomain? Thanks.


It’s not open, no - https://letsdebug.net/pqr.neroth.org/18104

The success is likely due to --dry-run using the cached authorization as described earlier.


That you for test link to check open port 80.

Now the plot thickens. I ran it without the -dru-run–. And it actually succeeded. I checked the status, and in fact that subdomain as a renewal as of now.

So what gives? What is the debug link to check if for some reason I have a dns record I had forgotten about?


Your latest /var/log/letsencrypt/letsencrypt.log should detail exactly what port was used, and what happened.

If you can extract a URL from that file that looks like this:

https://acme-v02.api.letsencrypt.org/acme/order/{some numbers}/{some numbers}

it will explain how the renewal was executed.


Please not:
--dry-run uses the staging servers which are forcing only HTTP renewals TODAY.
Without it you use regular production servers which are NOT yet forcing HTTP renewals.

Disclaimer: Mileage may vary. Does not cover all conditions and all situations (like: cached domain authentications). See LOGS for full details.


_az, I see 3 of that form in the log of the single subdomain renewal yesterday. But I do not know how to figure out how the verification was done.

There are posts to the above website with ports :443 and one default (no colon).
Are the ports 80, 443 used simply to post from my server processor to the outside or for reaching my created standalone server from outside. If the former, there are no restriction on outgoing ports. But incoming on those ports are not open in the router…

Please help me with more details.


I wanted you to post the URLs that you found, since they will contain the validation mechanisms used to authenticate your domains.

But your subdomain still does not have port 80 open, which you MUST open or you won’t be able to renew in future.


The command used was the one you provided:
certbot-auto renew --cert-name pqr.neroth.org --force-renewal

There are two of these url at two places.
Location: https://acme-v02.api.letsencrypt.org/acme/order/{number1}/{number2}

And another, this one with the same {numbers}
2019-01-21 17:02:20,674:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/order/{}/{}:

And 4th, this
2019-01-21 17:02:20,851:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/order/{}/{} HTTP/1 .1” 200 465

Remember this renewal actually completed yesterday, after the renewal about a few days ago. The certificate has a newer date than other subdomains.