Keep Standalone Server Running for Troubleshooting?

Is there a way to keep the certbot server running so that I can troubleshoot connecting to it while it is running? I would like to verify whether I am able to connect to /.well-known/acme-challenge/......

My domain is: topsecondhost.com (mail.topsecondhost.com)

I ran this command:
sudo docker run -it --rm --name certbot -p 80:80 -v "/etc/letsencrypt/live:/etc/letsencrypt/live" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot certonly --config-dir ~/certbot/config --work-dir ~/cerbot/work --logs-dir ~/cerbot/log

It produced this output:
Requesting a certificate for mail.topsecondhost.com and mimosa.topsecondhost.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: mail.topsecondhost.com
Type: unauthorized
Detail: 63.158.106.11: Invalid response from http://mail.topsecondhost.com/.well-known/acme-challenge/KzD5MDRCMUBa2bxeF4co0KY9EeiCqkbdFbTpAUNMHaY: 503

Domain: mimosa.topsecondhost.com
Type: unauthorized
Detail: 63.158.106.11: Invalid response from http://mimosa.topsecondhost.com/.well-known/acme-challenge/3tSUmI86Wux-WVOHeTzOapzqGz2Yoad-tyurqIAm69U: 503

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version):
This is my mail server but for web traffic it sits behind a haproxy reverse proxy, which is a different server. Web traffic is offloaded at the reverse proxy, but mail traffic does not go through the proxy server. For years I've been running Certbot on the proxy server to get a wildcard cert, and then copying that cert to the mail server. (mail ports are routed directly to the mail server by the router and do not go through the proxy) It's always a hassle to do a DNS record for a wildcard cert and then copy the cert from one server to the other. So, I would like to just run Certbot on the mail server for its own cert. But, of course, this means the Certbot request to /.well-known/acme-challenge/... on port 80 has to go through the reverse proxy.

I've run a nginx docker container on the mail server and verified that I get a proper 200 response from an external browser. I've disabled forcing https on the proxy, and verified that I can get that response in http.

The operating system my web server runs on is (include version):

sudo cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site:: No

The version of my client is: latest docker certbot/certbot

use --debug-challenges option

4 Likes

Thank you! This was actually the solution to the problem, as well. The backend just needed to be up long enough for the reverse proxy to recognize that it was there.

3 Likes

How is that going to work on the next [automated] renewal?

3 Likes

What do you mean? Which particular part are you concerned with?

If using "--debug-challenges" is what made it work, then how is that going to be part of your automated renewal?

3 Likes

I hadn't really been concerned with automating it. The solution for that, previously, would have been more work than I wanted to spend my time on.

I suppose I could remove the health check from the backend configuration. That would probably allow it to execute the usual way. I'll give that a try in three months.

1 Like