One way to run certbot would be standalone on a custom port, having Nginx receive the ACME verification on port 80 (standard and can not be changed) and proxy_pass it to that custom port.
If you try that and get the following error, heads up: it may be misleading.
Successfully bound to :8080 using IPv6 Certbot wasn't able to bind to :8080 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations. Waiting for verification...
If you don't have IPv6 on your system, your first thought must be that the verification fails because of the port. But most likely, that's not the case.
https://eff-certbot.readthedocs.io/en/stable/using.html:
On most Linux systems, IPv4 traffic will be routed to the bound IPv6 port and the failure during the second bind is expected.
Or, as the letsencrypt community forum puts it,
The IPv4/IPv6 message is likely to be a red herring. It usually means that Certbot has bound both address families in a single socket binding.
The error must be coming from elsewhere. Pause the challenges using --debug-challenges, and debug your Nginx configuration. It will stop and wait, and the output will look like this:
Received response:
HTTP 200
Retry-After: 5
Link: <https://dv.acme-v02.api.example-ca/directory>;rel="index"
Replay-Nonce: AEQAAAAK…
Content-Type: application/json
Content-Encoding: gzip
Server: scaffolding on HTTPServer2
Cache-Control: private
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
{"identifier":{"type":"dns","value":"www.example.com"},"status":"pending","expires":"2023-03-28T09:52:06.845338956Z","challenges":[{"type":"http-01","url":"https://dv.acme-v02.api.example-ca/challenge/yyut…","status":"pending","token":"fTMY…ys5G"},{"type":"dns-01","url":"https://dv.acme-v02.api.example-ca/challenge/0Lwd…","status":"pending","token":"yNol…"},{"type":"tls-alpn-01","url":"https://dv.acme-v02.api.example-ca/challenge/-0tP…","status":"pending","token":"W2hS…"}]}
Storing nonce: AEQAAAAK…
Performing the following challenges:
http-01 challenge for www.example.com
Successfully bound to :8008 using IPv6
Certbot wasn't able to bind to :8008 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
Waiting for verification...
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.You will need the challenges → token value. The URL you should test in the above example is:
http://www.example.com/.well-known/acme-challenge/fTMY…ys5GKeep in mind: challenges do not stop when renewing, so you may have to run certonly instead:
certbot certonly --standalone --http-01-port 8008 --post-hook "service nginx reload" --cert-name="www.example.com" -v --debug-challenges