Certbot + NGINX + Windows

My domain is: dev.mysoftware24.com

I ran this command: certbot certonly --standalone

It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

• Domain: dev.mysoftware24.com*
• Type: connection*
• Detail: Fetching http://dev.mysoftware24.com/.well-known/acme-challenge/ESjl6GgVbJaKq6Ag7FhCFPSMDEKmNQL_pEHzIQCXq1A: Timeout during connect (likely firewall problem)*

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Not sure what to put here

The operating system my web server runs on is (include version):
Windows Server 2022 Datacenter Azure Edition 21H2

My hosting provider, if applicable, is: Azure VPS

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Not sure what to put here

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

Do you actually need to run on Windows?

Anyhow, it looks like your website doesn't answer on port 80. Because you're using --standalone (why?) we can be confident it's listening, so it must be some firewall: either your machine's or your provider's.

Is port 80/TCP open in your firewalls?

I'm pretty sure port 80 is all good.

Before I try Certbot I was running my servers with NGINX on port 80 and it was working well.
Since Certbot asked me to put all down, I stopped NGINX and all my servers (just to be sure).

So, I don't know exactly where is my mistake.

It only asks you to do that if you want to use --standalone (hencewhy I asked you why you're using it).

You can use --nginx or --webroot leaving nginx on port 80.

Because it seemed to be the easiest way.
I mean, it is my Dev Server, so I'm able to put all servers down.

I'll look for how to use "certbot --nginx", but --standalone should have worked, shouldn't it?
At least all environment seems to be ready.

It's very disruptive.

I mean, you use it on servers that don't have a webserver of their own, like smtp/imap ones, or you use it when you have a cluster and every node is reverse proxying the /.well-known/acme-challenge directory to the single server that runs certbot --standalone.

It should have.

Is that any toturial of how to install the certbot nginx plugin on Windows?

It looks like you're not supposed to, and you should use the webroot plugin:

Sorry my ignorance, but I didn't get how to use webroot, I didn't understand the "Important Note:"

could you lead me through that, please?

Windows and certbot have a complicated relationship. There are better options for Windows.

Anyhow, webroot works like this:

certbot --webroot -w C:\path\to\your\htdocs [other options as needed]

(I am not actually sure how [slash? backslash?] certbot wants the path specified, or if you can avoid specifying it and it can autodetect it.)

Again, my ignorance speaking...
As far as I could understand, htdocs are files for Apache, I'm not using Apache.
Ok, I'm completly lost, sorry...

It's just a directory name, call it what you want. It's the directory from which nginx serves your website.

(It's the root directive in your config)

Is it a problem if there is no website?
In my case it is just a standalone WebServer, nd .exe which provides my endpoints

You should at least add a dedicated one in a block like this:

        location /.well-known/acme-challenge/ {
                root /var/www/acme;
        }

By putting that inside a server block that listen to all domains, I have set up my nginx to send all request for that path to another webroot which I then give to my acme client (all other paths get redirected to https)

And you can see it for yourself,

http://quake.qualcuno.xyz/.well-known/acme-challenge/404 stays on http
but
http://quake.qualcuno.xyz/someotherpath goes on https

both are 404 errors, and open the first link before the second one or you won't be able to see the difference, because of HSTS.

No success with --webroot
Log

Just an update, my server is Hosted on Azure VPS, I don't know if it changes anything...

Did you tell nginx to serve that directory when asked about /. well-known/acme-challenge?

(See the location block I pasted above)

At some point during your initial test port 80 was blocked, that's why standalone didn't work (I assume you are not doing any geographic or IP range filtering on connections in your firewall).

• Check your website works normally over http (it currently does) [Edit: correction, your website does not currently connect on port 80, so you need to fix this first or at least ensure that port 80 is open at both the VM networking settings and your server firewall]
• Stop nginx to ensure port 80 is freed up and nothing is listening. [Ensure there are no nginx processes running]
• Run certbot standalone to get your certificate. This part should currently work OK if nothing else is using port 80.
• Update your nginx configuration to point to the new certificate files for https.

Could you clarify something for me? Since NGINX is completly stopped when I ran Certbot, whit is it important excatly?
I mean, Certbot should be able to create the certificate with or without NGINX, with standalone or webroot, isn't it?

With NGINX running

No NGINX running