I have a mail server running on host A, this used to also host a webmail service, and everything worked fine - it renewed as it should.
Nine months ago I had to split these services, so mail (SMTP,IMAP) is still on host A but the webservice was moved to host B. The firewall routes the traffic accordingly as these hosts share the same fqdn externally... and there is the problem, when the mail host (A) runs certbot renew it always fails because it tells letsencrypt to look at mail.domain.net which is technically correct but factually a different host (B).
Is there anyway to get certbot to ask for verification at another host name? i.e. ask to look at authentication file at a.domain.net instead of b.domain.net (i.e. webmail)?
I know the simple solution is to either have different names (i.e. mail vs webmail) or use a wildcard thing through DNS - the former is not preferred while the latter is not an option for "auto renewal" since our DNS host has no API or ways to do that ...
If this was done manually once every other year I could live with it, but letsencrypt needs this every 3 months and it's becoming a hassle to work around...
You'd require a mechanism to securely transfer the private key and certificate to the other server not running certbot on every renewal though. See information about --deploy-hook to run such a deployment script after renewal on the certbot documentation page.
Also, your mailserver with certbot can use the standalone plugin if you don't want to install a whole Apache or nginx webserver for just the http-01 challenge.
wound up splitting the requests in the firewall (looking for the acme token) and running a deploy script copying it over to the other server using scp and rsa keys... webserver just has a simple daily script looking for a new cert and then reloads...
once I stopped looking at ONE app (certbot) to do everything it kinda worked out
(as a bonus I now a setup for copying files via script which I'll need later, and I know more about the firewall software as well)
was so focused on solving it with certbot that my mind didn't go elsewhere... thanks!