Is it possible to start the responder for the http-01 challenge and delay starting the cert renewal?
The background is that the node is behind a load balancer and the health checker must first recognize the certbot responser.
Thanks for the tip, but we're using the original Debian packages and wouldn't like to change them.
Why is there actually no delay option for the standalone responser analogous to the dns, for example '-dns-cloudflare-propagation-seconds'? That would be very helpful in my case.
Nobody wanted it enough to submit a PR against certbot, sounds like you do, @Osiris has pretty much given you everything you need for that. You would need a time.sleep(5) for instance but really the proper way to do this probably includes:
not using the standalone mode and serving the challenge responses yourself
using a pre-request hook to pause your healthcheck
I presume you are stopping your http service, running certbot as standalone, then starting it again which means you are incurring an outage for each renewal, so in a way your healthcheck is correct
How is this working anyway? Your load balancer is potentially going to serve the http challenge via the wrong server, unless only one server is configured for cert renewals and all /well-known/acme-challenge/ request go to that.
I recommend DNS validation for multi-server/load balanced scenarios as it skips this whole problem. If you then also use centralised renewal then you also avoid duplicate certificate rate limits if you have many server instances.
3 nodes with keepalived, one has the virtual IP and distributed.
A certificate is required on each node, which contains the host name plus the san names of the vHosts running on all nodes.
The certbot has been switched to port 81, and a distribution incl. health checker for post 81 has been set up on the LB.
Since we are not allowed to describe the DNS, and the DNS for the san names only points to the virtual IP, it would be nice if a delay during certbot and standalone challenge would be possible.
Is that health check needed? The standalone auth is often very fast and at other times is not even running. My experience with such health-checks is to detect failed or non-responding instances. The important thing to know is whether certbot gets the cert properly. There are various other options for that.
Is it not possible for your webserver on port 80 to serve the http challenge responses? Certbot can write to a web root path, your webserver just need to know to serve the static text files from /.well-known/acme-challenge, which is a very common configuration.