NethServer will handle the renewal automatically without requiring user intervention.
The renewal can also be triggered manually from command line (I think it’s):
signal-event certificate-update
About open ports the less the better, but for some services to be accessible from WAN some ports have to be open.
@hucky, can you comment on how you handle it? I think it could be helpful. 