hi, succesful created a ssl certiftcate with lets’ ecnrypt
but for the automaton and renewal, do you still need to have port 80 open?
also, does it needs to point to the homeassistant IP ? or can you have 80 open to another webservice on your own network?
i am doing multiple lets encrypts now on my home services, but for auto renewals to work then, i hope that i dont need to change the port forward rule for each ip/service 
thnx
Can you link to the method you used to create the cert?
yes, this one : https://www.home-assistant.io/addons/lets_encrypt/
Yes but only at the point when you do the renewal. I have my port 80 forwarded, but block it in iptables. When I process the renewal, I open the port, run it, then close the port again.
You could do it on another machine on the network but you’d need to then distribute the updated certs. If you want to run the renew process from the pi using a remote webserver, I suppose you could use samba to map a remote share to the root of the website, and use the certbot webroot option.
ok, thnx for the feedback
Do you do this manually or do you have automated the process of opening port, renewing certificate and closing port?
i always have my port 80 open
Automated, I just create a rule at the top allowing 80 in, run the renewal, and then delete it again.
Can you explain how you configured that rule to allow 80 in?
#Before
/sbin/iptables -I INPUT 1 -p tcp -m state --state NEW --dport 80 -j ACCEPT
#Run certbot-atuo
#After
/sbin/iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT