How to user auto renew with ngrok domains?


I am using a SSH tunneling service like ngrok to expose my sites to the internet rather than directly opening up ports 80 and 443 from my server’s internet gateway router.

However, cerbot now fails to complete the re-certification.

sudo certbot renew --dry-run

Attempting to renew cert ( from /etc/letsencrypt/renewal/algomini produced an unexpected error: Failed authorization procedure. algomi (http-01): urn:ietf:params:acme:error:connection :: The server could no t connect to the client to verify the domain :: Fetching well-known/acme-challenge/U_6JbPkihWAEkXnqJCRjxuuZzSscqWlEW7TV61j76xs: Timeout d uring connect (likely firewall problem). Skipping.

What is the solution for this?

Thank you!

Hi @AlgoSignals

you have two options:

  • Open your port 80 (or)
  • switch to dns validation.

But (2) may be manual.


PS: What’s that? There is a check of your domain, 30 minutes old -

That’s a different problem. You have different ip adresses non-www / www. Non-www doesn’t work, www has ipv4 and ipv6, both are ok.

So you should change your non-www ip address. Or create a certificate only with the www domain name.


Thank you, would you kindly point me to the instructions / method for how the dns validation route?

Thank you!

If you are using ngrok (I’m a fan as well), shouldn’t your domain point to the ngrok CNAME, rather than your home IP address?

(Or whatever the equivalent is for the reverse tunneling solution you use, if not ngrok).

Hello, yes, the CNAME does point to the ngrok servers, which is why I am wondering how to do this.

I also added a A record with the server’s ip address in addition to the CNAME (which points to ngrok), to see if that will work …

Right now, your domain only points to your Verizon address. There is no CNAME.

You can’t have an A record and a CNAME at the same time.

There you can’t install the certificate.

They don’t need to, they’re probably just forwarding port 443 entirely.

So you’re telling me if I use a service like ngrok, then I can’t install let’s encrypt SSL?

See your configuration -

If you have a CNAME yourdomain -> another domain, you have to install the certificate on the destination machine.

So you must install the certificate there - X.X.X.X. Is that possible?

That’s how certificates work. It’s not ngrok-specific.

So typically: If customers of a service use CNAME to point domain names to that service, that service creates the required certificates.

Hello, thank you for your response. May I request that you kindly remove your last post listing the ip address of my domain, I don’t want it published. I’ll be removing the A record as well and just keep the ngrok cname.

Hello, requesting that you please remove this post … thank you.

Hi @AlgoSignals, I’ve edited @JuergenAuer post and yours to remove IPs.