Just to clarify: did you forward ports 80 and 443 on your router to 10080 and 10443 on the Pi?
If so, you may need to add the --http-01-port or --tls-sni-01-port options to the certbot command to tell it what port to respond on.
Or did you forward ports 10080 and 10443 on the router to 80 and 443 on the Pi? If so, that won’t work; Let’s Encrypt will only connect on port 80 or 443 to verify the challenges. If you can’t forward either of those ports to your Pi, you’ll have to use the DNS challenge instead.
It’s the second case. NginX runs on ports 80 and 443 locally. The router forwards them to 10080 and10443 outside my LAN.
I can temporarily forward 80 to 80, just for the certificate negotiation by certbot.
The problem would arise then in the future, when renewing the certificate via crontab like I read in the docs. I already have another web server running on 80 and 443 on another machine.
To issue or renew certificates via http-01 or tls-sni-01 validation, you must use port 80 and 443. There’s no way around it.
The other available challenge is dns-01.
One workaround you could try is for the first web server (that receives the requests on 80 and 443) to proxy requests to the second web server (that receives requests on 10080 and 10443).
For example:
# on the first server's nginx
server {
listen 80;
server_name second-domain.com;
location /.well-known/acme-challenge/ {
proxy_pass http://10.10.10.2/.well-known/acme-challenge/; # where 10.10.10.2 is the internal IP of the second server
proxy_set_header Host $host;
}
}