How to user auto renew with ngrok domains?

Hello,

I am using a SSH tunneling service like ngrok to expose my sites to the internet rather than directly opening up ports 80 and 443 from my server’s internet gateway router.

However, cerbot now fails to complete the re-certification.

sudo certbot renew --dry-run

Attempting to renew cert (algominier.com) from /etc/letsencrypt/renewal/algomini er.com.conf produced an unexpected error: Failed authorization procedure. algomi nier.com (http-01): urn:ietf:params:acme:error:connection :: The server could no t connect to the client to verify the domain :: Fetching http://algominier.com/. well-known/acme-challenge/U_6JbPkihWAEkXnqJCRjxuuZzSscqWlEW7TV61j76xs: Timeout d uring connect (likely firewall problem). Skipping.

What is the solution for this?

Thank you!

1 Like

Hi @AlgoSignals

you have two options:

  • Open your port 80 (or)
  • switch to dns validation.

But (2) may be manual.

Read

PS: What's that? There is a check of your domain, 30 minutes old - https://check-your-website.server-daten.de/?q=algominier.com

That's a different problem. You have different ip adresses non-www / www. Non-www doesn't work, www has ipv4 and ipv6, both are ok.

So you should change your non-www ip address. Or create a certificate only with the www domain name.

1 Like

Hello,

Thank you, would you kindly point me to the instructions / method for how the dns validation route?

Thank you!

1 Like

If you are using ngrok (I’m a fan as well), shouldn’t your domain point to the ngrok CNAME, rather than your home IP address?

(Or whatever the equivalent is for the reverse tunneling solution you use, if not ngrok).

1 Like

Hello, yes, the CNAME does point to the ngrok servers, which is why I am wondering how to do this.

I also added a A record with the server’s ip address in addition to the CNAME (which points to ngrok), to see if that will work …

1 Like

Right now, your domain only points to your Verizon address. There is no CNAME.

You can’t have an A record and a CNAME at the same time.

1 Like

There you can't install the certificate.

1 Like

They don’t need to, they’re probably just forwarding port 443 entirely.

So you’re telling me if I use a service like ngrok, then I can’t install let’s encrypt SSL?

See your configuration - https://check-your-website.server-daten.de/?q=algominier.com

If you have a CNAME yourdomain -> another domain, you have to install the certificate on the destination machine.

So you must install the certificate there - X.X.X.X. Is that possible?

That's how certificates work. It's not ngrok-specific.

So typically: If customers of a service use CNAME to point domain names to that service, that service creates the required certificates.

1 Like

Hello, thank you for your response. May I request that you kindly remove your last post listing the ip address of my domain, I don't want it published. I'll be removing the A record as well and just keep the ngrok cname.

1 Like

Hello, requesting that you please remove this post … thank you.

1 Like

Hi @AlgoSignals, I’ve edited @JuergenAuer post and yours to remove IPs.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.