I tried to pass this option :
docker run --rm -it \
--name certbot \
-v '/home/etc/letsencrypt:/etc/letsencrypt' \
-v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
-v "/tmp/acme-challenge:/tmp/acme-challenge:rw" \
certbot/certbot renew --webroot \
--webroot-path "/tmp/acme-challenge" \
--debug-challenges -v \
--dry-run
And I do get an intermediary message :
-------------------------------------------------------------------------------
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
-------------------------------------------------------------------------------
Cleaning up challenges
But it doesn't wait for me to press continue, it goes on anyway... so I still can't check if my challenges are there.
With the -v option, I get more output. Sample for www.alchimie-web.com :
certbot asking for a challenge token :
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8/164549450:
{
"protected": "eyJub25jZSI6ICJ5V2NHcTBVOU9VVEpfRkRIalFCcjVhU0pPTGZJUTl4UksxU0s5WUl3cUdzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsZW5nZS9nUlliMTdyMlZ6VE5hTHhkNFpfNXMteVdvTXlLbTJWUU5fWXo2cFl4bXc4LzE2NDU0OTQ1MCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzY4MjIxMTQiLCAiYWxnIjogIlJTMjU2In0",
"payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogImJwVm9qbUNTeXVyMENPaHQ4a3BURmxkekVoNWxxWVdyb0FVU0Nka1lpNjQua016OXdJM1JvVjNZcF84dzl6elZvU1FrNldobkVDNzB3TzZCa2tpMTczdyIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9",
"signature": "EHPMjl7B0J8_dUgYEmarJ4O4C9Zpi_VQwPvukKW527-vGSMG3yKEuKdHAiW2ZN28w4nm4LPW4YrApUIFfYIxRIyLPihYHBc3VfcROejlsN2r06JruW87HNY60Asb7sU_J7JhdB8aCcL18HuWul-m9k3xenQIbmuQ9-oR8zjomMr-V42pontMemdrX_KqhsSqlM2kIieGA0LwRFGGVAIB2OgYEmCtEcJjsTiMZ6sESX0RcOw-VNotYe3OkxzrEhtONOW8ULbYP1CtEyCMk43WDKY_RFkSy59RarmQwuelWPaUxgSSOYKNDjsBSiHxuoWnu_HW6j6PtKR9IJ-63jg4Wg"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8/164549450 HTTP/1.1" 200 230
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 6822114
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8/164549450
Replay-Nonce: Lqw81232Va7R1-0KJ6QnUVFKgLCW59mQpAuicNkocoo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 28 Aug 2018 13:06:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 28 Aug 2018 13:06:20 GMT
Connection: keep-alive
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8/164549450",
"token": "bpVojmCSyur0COht8kpTFldzEh5lqYWroAUSCdkYi64"
}
Storing nonce: Lqw81232Va7R1-0KJ6QnUVFKgLCW59mQpAuicNkocoo
certbot trying to authenticate www.alchimie-web.com
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8.
https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8 HTTP/1.1" 200 1805
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1805
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 28 Aug 2018 13:06:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 28 Aug 2018 13:06:25 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "www.alchimie-web.com"
},
"status": "invalid",
"expires": "2018-09-04T13:06:16Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8/164549449",
"token": "oAtfhiguq91hpHOJGGkQPA_3-Gn9xhEGCbadL0wZxUs"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://www.alchimie-web.com/.well-known/acme-challenge/bpVojmCSyur0COht8kpTFldzEh5lqYWroAUSCdkYi64: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8/164549450",
"token": "bpVojmCSyur0COht8kpTFldzEh5lqYWroAUSCdkYi64",
"validationRecord": [
{
"url": "http://www.alchimie-web.com/.well-known/acme-challenge/bpVojmCSyur0COht8kpTFldzEh5lqYWroAUSCdkYi64",
"hostname": "www.alchimie-web.com",
"port": "80",
"addressesResolved": [
"37.59.46.195"
],
"addressUsed": "37.59.46.195"
}
]
},
{
"type": "tls-alpn-01",
"status": "invalid",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8/164549451",
"token": "nXmyw8m_qn-0uLEt2axrsDxtsgu4gzQqlpB8yRO4sjE"
}
]
}
tls-alpn-01 was not recognized, full message: {u'status': u'invalid', u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gRYb17r2VzTNaLxd4Z_5s-yWoMyKm2VQN_Yz6pYxmw8/164549451', u'token': u'nXmyw8m_qn-0uLEt2axrsDxtsgu4gzQqlpB8yRO4sjE', u'type': u'tls-alpn-01'}
Reporting to user: The following errors were reported by the server:
(...)
Domain: www.alchimie-web.com
Type: unauthorized
Detail: Invalid response from http://www.alchimie-web.com/.well-known/acme-challenge/bpVojmCSyur0COht8kpTFldzEh5lqYWroAUSCdkYi64: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
And also the cleanup debug :
Calling registered functions
Cleaning up challenges
Removing /tmp/acme-challenge/.well-known/acme-challenge/HXBJCZZ9HMVuv9q5wfObgOAwyAFbULMOLbk4TKod530
Removing /tmp/acme-challenge/.well-known/acme-challenge/rT6_31SAANv5LxASc2d1e-EXmZOrC5yT-HqcPv_mqqk
Removing /tmp/acme-challenge/.well-known/acme-challenge/XUWECP4K2SSRrp9Krkg_xjk-KxIddD8ZgINavO727ww
Removing /tmp/acme-challenge/.well-known/acme-challenge/fnGbSoQ2zAfCwdi8U1tQ-GHwPlKlWawHgccsTzaIDK0
Removing /tmp/acme-challenge/.well-known/acme-challenge/A2y7roPqJXzCV9M98-vO0NYPnFBqIPb5QAN-z5NTQMQ
Removing /tmp/acme-challenge/.well-known/acme-challenge/nOJ8oR0yjteTk_gEzmavbOCpN0toCQBBWA1oAuH_5mU
Removing /tmp/acme-challenge/.well-known/acme-challenge/6KnBhfPRLxFhkkuTmpbIvmdhnreaBppRsM3HsbyeS2M
Removing /tmp/acme-challenge/.well-known/acme-challenge/gw6d9wz3U7jHgGj6rqrbWeyPGbdyL8L_iJL1cu7M664
All challenges cleaned up
So that was my problem : the webroot-path must point to the document_root of the server, not to the actual location of the challenge files, which will be in webroot_path/.well-known/acme-challenge
(and it's actually explained in the doc... my bad !)
. In addition, you’ll need to specify
--webroot-pathor-wwith the top-level directory (“web root”) containing the files served by your webserver.
User Guide — Certbot 2.7.0.dev0 documentation