Let's Encrypt - Nginx Proxy Pass - Renewal Fails

Hello there,

I have a beijing aws ec2 server ( standard apache ami )

A couple of months ago, we needed to setup a micro aws ec2 instance in the NINGXIA region and setup it up as a reverse proxy pointing to the BEIJING server to compensate for the congestion in peak hours.

Speed has increased drastically as a results.

However I wanted to renew our SSL due to expire in a few days and realized the usual certbot renew does not work anymore,

It now produce this output when typing certbot renew on the BEIJING server:
Attempting to renew cert (www.domain.com) from /etc/letsencrypt/renewal/www.domain.com.conf produced an unexpected error:
Failed authorization www.domain.com (http-01): urn:ietf:params:acme:error:connection ::
The server could not connect to the client to verify the domain ::
www.domain.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.domain.com/.well-known/acme-challenge/aKnEwaTH0d07hlEHwhKl4JIrIvNdzc5pTvEfaNQUPVM: Connection refused. Skipping.

I can login to a root shell on my machine (yes or no, or I don’t know): YES

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

NINGXIA SERVER - Nginx settings
events {
use epoll;
worker_connections 4096;
}

stream {
server {
listen 443;
proxy_connect_timeout 10s;
proxy_timeout 300s;
proxy_pass BEIJING_SERVER_IP:443;
}
server {
listen 3008;
proxy_connect_timeout 10s;
proxy_timeout 300s;
proxy_pass BEIJING_SERVER_IP:3008;
}
}

I’m guessing I need to update the NINGXIA Nginx settings but have no idea what to do,

Cheers,
Orion

1 Like

You’re only forwarding (proxy_pass) ports 443 and 3008.
The LE authentication request is via HTTP (port 80).
Where do those go?

Whichever server is running certbot needs to receive the HTTP (port 80) requests.

1 Like

That worked. I feel a little dumb there, Thanks mate :slight_smile:

1 Like