Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: sudo certbot certonly --standalone --debug-challenges -v --dry-run
It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): mx2.koalatyworks.com
Simulating a certificate request for mx2.koalatyworks.com
Performing the following challenges:
http-01 challenge for mx2.koalatyworks.com
Challenges loaded. Press continue to submit to CA.
The following URLs should be accessible from the internet and return the value
mentioned:
You have an nginx server that responds to HTTP requests. Did you stop it before trying to use --standalone? Because standalone requires exclusive use of port 80.
Also, since you have nginx you could just use the --nginx plug-in or --webroot to satisfy the challenge.
Can you explain more what you are trying to do and why you chose --standalone? We can give better advice then.
I'm trying to set up a backup MX server. Nginx is running on my main server, not mx2. Should I stop nginx on the main before running certbot on the backup? Or maybe use the nginx plugin, even though nginx isn't on the backup server?
Your DNS for mx2 has an A record pointing to the same IP as your main nginx server. The Let's Encrypt server uses that IP to make an HTTP request and your nginx responds.
Yes, you can just setup a simple server block in nginx to handle that ACME challenge for mx2. Then copy the cert for your mail server.
You could use the --deploy-hook to copy it. See Certbot docs
Or stop nginx before using standalone but usually people want to avoid that.
Sure, a cert is just a couple files. Just keep them secure as you would on the main server.
Or, do you need the DNS A record for mx2 to point to your main server? Because if not you could just point that to where mx2 is and run Certbot standalone there. Still though it needs exclusive access to port 80.