I think the issue is that we need certbot to support doing the renewal on a different port, not 443, since that’s forwarded for HA. So for auto-renew to work we need to be able to get it to use a different port and then set up another forwarding rule on the router just to be used for the renewals. …