and provide appropriate nginx config. Am I right? Because I assume certbot nginx plugin is meant for nginx as web host, not proxy right? My nginx.conf looks like this:
nginx server is can listen on range 44000-44099 (ports forwarded). Network nodes before nginx translate port 80 and 443 to nginx host port 44080 and 44043.
--standalone is meant for sites that are not running any kind of webserver. It will not work if you have a webserver running on the standard ports.
I believe the easiest method of verification for you is tls-sni-01. Certbot will create a fake hostname with a special certificate in your nginx config, connect to the server at the domain you want the certificate for, request the fake hostname via Server Name Indication, and approve the validation request if it gets back the right certificate. Certbot generates it’s own separate server blocks in your nginx config to do this, so it won’t interfere with your existing proxied hosts.
If you don’t want certbot to automatically adjust your nginx configs, you will need to use webroot authentication with certbot certonly and add location blocks to all your proxied hosts so they return files in /.well-known/acme-challenge from a local directory instead. You can point them all to the same directory and pass that to certbot as the webroot for all domains if you want; there is no need for them to be separate.
I tried connecting to lapsio.bestpony.ml:443 via netcat after starting netcat server on nginx gateway and it works I can connect over 443 to netcat server listening on 44043 on nginx gateway.
With nginx reason seems to be quite obvious: nginx gateway does NOT listen on 443 port. Nor 80 and that’s what cerbot is adding to nginx.conf (they’re blocked on firewall before gateway) it’s listening on 44080 and 44043. Only ports 44000-44099 are available to nginx gateway. Other ports are forwarded to different servers in network.
Additionally public 443 is NATed to nginx machine 44043 and public 80 is NATed to nginx machine 44080.
If you cannot modify the configuration for either the servers listening on port 80 or 443, then you will be unable to use http-01/webroot or tls-sni-01 authentication with Let’s Encrypt. For the security of your domain, the CA/Browser Forum requires CAs to perform validation on well-known ports such as those.
Your only choice if that’s the case is to use dns-01 authentication. This requires adding a TXT record to your DNS either manually or via an API. While certbot has some support for this, the dehydrated and acme.sh clients have support for a larger number of DNS providers.
Where X is VM number corresponding to certain domain name. eg. lapsio.bestpony.ml is listening on 10.0.1.2:44180 as http and milosz.bestpony.ml is listening on 10.0.2.2:44280. 10.0.0.0/16 is virtualized network containing all VMs. Technically nginx host is just one of VMs that’s why it listens on 44043/44080 ports to fall under standard VMs port forward policy (ports 44000-46999 are forwarded from WAN directly to VMs and these are the only ports VMs can use for outside world communication)
Is it possible to alter port the same way for nginx certbot plugin? It’s not like reloading shutting down nginx for few seconds once a month is a big deal but welp. It’d be “nice to have”