Is there a way to keep the certbot server running so that I can troubleshoot connecting to it while it is running? I would like to verify whether I am able to connect to /.well-known/acme-challenge/......
My domain is: topsecondhost.com (mail.topsecondhost.com)
I ran this command:
sudo docker run -it --rm --name certbot -p 80:80 -v "/etc/letsencrypt/live:/etc/letsencrypt/live" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot certonly --config-dir ~/certbot/config --work-dir ~/cerbot/work --logs-dir ~/cerbot/log
It produced this output:
Requesting a certificate for mail.topsecondhost.com and mimosa.topsecondhost.com
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: mail.topsecondhost.com
Type: unauthorized
Detail: 63.158.106.11: Invalid response from http://mail.topsecondhost.com/.well-known/acme-challenge/KzD5MDRCMUBa2bxeF4co0KY9EeiCqkbdFbTpAUNMHaY: 503
Domain: mimosa.topsecondhost.com
Type: unauthorized
Detail: 63.158.106.11: Invalid response from http://mimosa.topsecondhost.com/.well-known/acme-challenge/3tSUmI86Wux-WVOHeTzOapzqGz2Yoad-tyurqIAm69U: 503
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
My web server is (include version):
This is my mail server but for web traffic it sits behind a haproxy reverse proxy, which is a different server. Web traffic is offloaded at the reverse proxy, but mail traffic does not go through the proxy server. For years I've been running Certbot on the proxy server to get a wildcard cert, and then copying that cert to the mail server. (mail ports are routed directly to the mail server by the router and do not go through the proxy) It's always a hassle to do a DNS record for a wildcard cert and then copy the cert from one server to the other. So, I would like to just run Certbot on the mail server for its own cert. But, of course, this means the Certbot request to /.well-known/acme-challenge/... on port 80 has to go through the reverse proxy.
I've run a nginx docker container on the mail server and verified that I get a proper 200 response from an external browser. I've disabled forcing https on the proxy, and verified that I can get that response in http.
The operating system my web server runs on is (include version):
sudo cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
I can login to a root shell on my machine: yes
I'm using a control panel to manage my site:: No
The version of my client is: latest docker certbot/certbot