NGNIX Proxy Manager SSL Certificate auto-renewal

Installation
#1

I have setup HA with NGNIX Proxy manager and Duck DNS and everything was working fine until a couple of days ago I could not access HA via the duckDNS url. I was still able to access HA via the local URL.

My router setup also has portforwarded port 433 to 433 and this is the only port which was forwarded.

After a lot of trouble, was able to figure out that the SSL certificate in NGIX had expired which was causing this issue. Tried to renew the certificate maually in NGNIX (via the UI renew option) but it kept giving me “internal error” and “time out” messages on the NGNIX UI. I then enabled the portforwarding from 8123 to 8123 on the router and did the same action and the certificate got renewed.

My questions are;

  1. Has anyone had thier SSL cert not renew and have you had to manually renew on NGNIX Prox manager?
  2. If you manulaly renewed do you have port forwarding for port 8123 to 8123
  3. Does NGNIX auto renew the SSL Cert? Do I need to do anything special to make this happen?
  4. Do I have to have other ports forwaded (other than 443) for this to work?
#2

I don’t know this NGINX Proxy Manger…

NGINX does not do anything in regard of changing your ssl cert… this is your task.
For letsencrypt certs its recommended to use acme to change the certs…

Hint: I strongly recommend NOT to expose your unencrypted HA to the internet…

#3

Tx.
My question was on how NGNIX Proxy Manager would auto renewal the SSL cert.

#4

Did you forward port 80 and 443 or only port 443? The documentation for both Nginx Proxy Manager and the addon say to do both.

I would guess that forwarding 80 isn’t optional in your case because NPM probably uses the http-01 type challenge by default. For that type of challenge to work Let’s Encrypt will reach out to the domain you requested a cert for on port 80 and expect a specific response otherwise it won’t give you a certificate.

There are other types of challenges. I haven’t used NPM in a bit but when I did I used it with a cloudflare DNS type challenge. But that’s because I had my own domain hosted by cloudflare. I don’t know what other options are available for a duckdns domain.

#5
  1. No it auto renews in NPM. In fact if you look at the NPM addon logs you’ll see it auto retries often.
  2. No you don’t need 8123 open externally.
  3. See response to 1. No it automatically does this.
  4. You’ll need port 80 and 443 to work unless using DNS challenge if so then only 443.