Port 443 open, 80 closed

I’m setting up nextcloudpi on my Raspberry Pi 3B for the first time, and I’m stuck at getting port 80 open. Here’s a couple screencaps of my status page and port forwarding.

In a sense, you really don’t need port 80 if you’re using HTTPS. The only time you’d want to is when you get a request at port 80 and a redirect to 443. However, I know that @nachoparker has automatic redirects to HTTPS connections on port 443 so having port 80 open isn’t really necessary if you’re already getting redirected to an HTTPS connection. You don’t want to risk any cleartext traffic

But letsencrypt says both ports need to be open for it to work. How do I use letsencrypt without port 80 open?

you need both ports open for letsencrypt to work. In order to avoid this, you can use DNS challenge authentication with LE, but that has not (yet) been implemented in NCP.

Just for reference if it helps somebody, I moved to acme from certbot and it is possible to renew certificate with port 80 blocked (you need only Port 443, so please stop apache2 or nginx when renew or issue certificate). Just use Standalone tls-alpn mode:

acme.sh --issue --alpn -d example.com