Should renewing certs require http?

[Joeweav]

Is there a reason when you renew a cert curl uses http, port 80, and not https, port 443? It seems like it would be more secure to use https.

The reason I noticed this is for a while chrome was making a big deal out of http web pages, stating that they are insecure. After I got the cert and https working, I wanted to end normal http access. I looked through the docs for the web server a couple of times and I could not find a definitive solution that worked. In the end I would up blocking it at the router. That worked fine, but when I went to renew the certs, I kept getting timeouts from curl. It took me a bit to remember the business with the router, and as soon as I let http back in again, the renew process ran perfectly.

So, probably not a big deal but shouldn't the renew process use https and not http?

[webprofusion-chrisc]

Yes if you use the http domain validation option (which is usually the default) you need to keep port 80 open for http. This is a requirement set by the Certificate Authority (e.g. zerossl, Let's Encrypt etc) and not by acme.sh.

The alternatives include tls-alpn-01 which is a specially crafted TLS response over port 443 (https) or the more common option which is DNS validation (updating a TXT record in your domains DNS records on each renewal).

[Joeweav]

Thank you for taking the time to answer that so nicely!