How can I configure Let's Encrypt to renew under STunnel?

My domain is:

The version of my client is (output of certbot --version ):
certbot 0.31.0

1 machine (Stunnel) + 1 machine (HTTP Web Server)

root@STunnel-HTTPS-Server:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: "404 Not Found<meta http-equiv=“Content-Type” content=“text/html; charset=utf-8”><link ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)


Does the webserver, that stunnel is fronting for, have a webroot on the filesystem?

Also, is it on the same physical machine?

Hi _az,

  1. G-Wan Webserver webroot is /www.
  2. STunnel & G-Wan Webserver on 2 different physical machines.

Ehhh, that combination doesn’t really leave you with great choices, unfortunately.

The problem is that

  1. stunnel is not HTTP-aware, so you can’t really perform the challenge on the proxy server without stopping stunnel entirely, and
  2. You can’t easily copy the challenge file, because it has to be deployed to a remote server

If I were you, I would swap out stunnel for something like nginx, configure as such:

server {
    listen 80;
    location / {
        proxy_pass http://ip.of.gwan.server:80/;

and then just do something like:

sudo certbot --nginx -d