I have setup HA with NGNIX Proxy manager and Duck DNS and everything was working fine until a couple of days ago I could not access HA via the duckDNS url. I was still able to access HA via the local URL.
My router setup also has portforwarded port 433 to 433 and this is the only port which was forwarded.
After a lot of trouble, was able to figure out that the SSL certificate in NGIX had expired which was causing this issue. Tried to renew the certificate maually in NGNIX (via the UI renew option) but it kept giving me “internal error” and “time out” messages on the NGNIX UI. I then enabled the portforwarding from 8123 to 8123 on the router and did the same action and the certificate got renewed.
My questions are;
Has anyone had thier SSL cert not renew and have you had to manually renew on NGNIX Prox manager?
If you manulaly renewed do you have port forwarding for port 8123 to 8123
Does NGNIX auto renew the SSL Cert? Do I need to do anything special to make this happen?
Do I have to have other ports forwaded (other than 443) for this to work?
NGINX does not do anything in regard of changing your ssl cert… this is your task.
For letsencrypt certs its recommended to use acme to change the certs…
Hint: I strongly recommend NOT to expose your unencrypted HA to the internet…
Did you forward port 80 and 443 or only port 443? The documentation for both Nginx Proxy Manager and the addon say to do both.
I would guess that forwarding 80 isn’t optional in your case because NPM probably uses the http-01 type challenge by default. For that type of challenge to work Let’s Encrypt will reach out to the domain you requested a cert for on port 80 and expect a specific response otherwise it won’t give you a certificate.
There are other types of challenges. I haven’t used NPM in a bit but when I did I used it with a cloudflare DNS type challenge. But that’s because I had my own domain hosted by cloudflare. I don’t know what other options are available for a duckdns domain.
You say that it does autorenew, but mine doesn’t.
I have NPM 2.9.19 running in a container on a separate NAS (not as a HA Addon).
Is there anywhere in NPM a setting where the number of days prior to expiry, can be set?
I have a log folder inside the config folder, but there are no logfiles there with renewal entries. All that’s there are a number of proxy-host access log files.
Where should I look for the renewal log file?
(I do have port 80 and 433 permanently pointing to NPM)
Mine does and I never change a setting for it either. I don’t use it in HA addon either and I run it in docker in two locations (on premise and VPS). I am using DNS challenge though, that’s the only thing different to your setup so maybe port issue? You should try and configure DNS challenge and then you can block port 80 too.