I normally have port 80 shut on my firewall. In spite of the notice in the Certificate Manager that specifies which hosts should be allowed for LetsEncrypt operations, the callbacks from LE come from various IP addresses, so there’s no way to selectively open the firewall to port 80 just for LE.
I want to add a pre-renewal hook that injects an iptables rule to open port 80 to the Internet for the 30 seconds or so that it takes to do the renewal, then delete the rule. Any suggestions on where to script that in?