Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
That --standalone method command requires seeing the HTTP request on port 80.
Your domain is currently proxied at Cloudflare. The Cloudflare CDN edge is redirecting http to https. So, unless you are forcing all connections to your origin over HTTP that --standalone will never see it. And, it is not recommended for force HTTP like that anyway.
Have you considered using the Cloudflare Origin CA cert for your origin server to support HTTPS between the CF edge and your origin?
Thanks for your reply.
I have now un-proxied my domain at CloudFlare, but that doesn't seem to have made a difference. I don't understand the option you're talking about here, but I don't know if I can use it as I have to provide certificates for the domains to Esri consultants to configure into the ArcGIS Enterprise application we're deploying. How can I get this to work?
It would have made SOME difference. What was the actual error message you see now?
Update: And, would expect a non-response to HTTP requests if you only use --standalone. But, there is some sort of gateway in front of it. Are you sure it is passing the Let's Encrypt challenge to Certbot?
curl -i http://gis-tst.greencollar.com.au/.well-known/acme-challenge/Test404HTTP/1.1 301 Moved Permanently
Can't you user Azure's own certificate service for app gateway?
Is your [ArcGIS portal] service hosted on Windows or Linux?
You could try Certify The Web (which I develop), on Windows:
It has a deployment task option for Azure KeyVault and then you can assign that cert from keyvault to app gateway (I think, haven't tried it directly).
You can also use the Deploy to Generic Server task to just export the certificates as files you can give consultants etc, although this process doesn't sound ideal as you need something that can be automated for renewals. The task can copy cert files over SSH/SFTP to a target server and can also run scripts (such as a service restart).
If you need multiple domains on different DNS zones in your cert it also has an option under Authorization to have a DNS authorization config per domain/domain match.
However I can't see you being able to issue a cert for an azure.com subdomain as you don't control that DNS, you could do it using HTTP validation though if this is Windows server and you can free up port 80 for http challenges.
There's probably a lot of moving parts here as you have your actual ArcGIS web server but you also have app gateway in front of that (which is where your TLS will terminate and where you primarily need your certificate). It seems like something your consultants should be formulating a solution for, unless they only help with the GIS config.