[GH-ISSUE #1625] Internal error on SSL certificates when force SSL is active

kerem commented

2026-02-26 06:36:16 +03:00

Owner

Originally created by @Mystery-X on GitHub (Dec 2, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1625

[12/2/2021] [3:03:23 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
Connection Error: Error: read ECONNRESET
Connection Error: Error: read ECONNRESET
[12/2/2021] [3:54:36 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #3: <**masked**>
[12/2/2021] [3:54:36 PM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-3" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[12/2/2021] [3:54:39 PM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-3" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to renew certificate npm-3 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0

When disabling the Force SSL option the renewal went flawless.

[12/2/2021] [3:56:34 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #3: <**masked**>
[12/2/2021] [3:56:34 PM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-3" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[12/2/2021] [3:56:40 PM] [SSL      ] › ℹ  info      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-3.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for <**masked**>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/npm-3/fullchain.pem (success)

So to me it looks like NPM is also trying to forward the http request for cert renewal to SSL and thus it fails to complete the request.

Originally created by @Mystery-X on GitHub (Dec 2, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1625 ``` [12/2/2021] [3:03:23 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-2 with error: Some challenges have failed. Failed to renew certificate npm-3 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-3/fullchain.pem (failure) 2 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) Connection Error: Error: read ECONNRESET Connection Error: Error: read ECONNRESET [12/2/2021] [3:54:36 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #3: <**masked**> [12/2/2021] [3:54:36 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-3" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation [12/2/2021] [3:54:39 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-3" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Failed to renew certificate npm-3 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-3/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0 ``` When disabling the Force SSL option the renewal went flawless. ![image](https://user-images.githubusercontent.com/1607068/144459868-f58ceb51-fe30-45fd-80d5-3f6d427b480b.png) ``` [12/2/2021] [3:56:34 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #3: <**masked**> [12/2/2021] [3:56:34 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-3" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation [12/2/2021] [3:56:40 PM] [SSL ] › ℹ info - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/npm-3.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Renewing an existing certificate for <**masked**> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded: /etc/letsencrypt/live/npm-3/fullchain.pem (success) ``` So to me it looks like NPM is also trying to forward the http request for cert renewal to SSL and thus it fails to complete the request.

kerem added the

stale

bug

labels

2026-02-26 06:36:16 +03:00

kerem commented

2026-02-26 06:36:16 +03:00

Author

Owner

@chaptergy commented on GitHub (Dec 2, 2021):

Please provide us with the full letsencrypt logs. See https://github.com/jc21/nginx-proxy-manager/issues/1271#user-content-certificate-error

@chaptergy commented on GitHub (Dec 2, 2021): Please provide us with the full letsencrypt logs. See https://github.com/jc21/nginx-proxy-manager/issues/1271#user-content-certificate-error

kerem commented

2026-02-26 06:36:16 +03:00

Author

Owner

@Mystery-X commented on GitHub (Dec 2, 2021):

It's not the full, but it contains the proof that it failed to access the file needed todo the verification.

2021-12-02 15:54:39,525:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/<**masked**> HTTP/1.1" 200 1353
2021-12-02 15:54:39,526:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 Dec 2021 15:54:39 GMT
Content-Type: application/json
Content-Length: 1353
Connection: keep-alive
Boulder-Requester: 122098528
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101KB-iImdk_v4_E8qeaJBpzYY_-RvkALfB9wFV7ilE8Gc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "<**masked**>"
  },
  "status": "invalid",
  "expires": "2021-12-09T15:54:37Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching https://<**masked**>/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY: Error getting validation data",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/<**masked**>/<**masked**>",
      "token": "lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY",
      "validationRecord": [
        {
          "url": "http://<**masked**>/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY",
          "hostname": "<**masked**>",
          "port": "80",
          "addressesResolved": [
            "<**masked**>"
          ],
          "addressUsed": "<**masked**>"
        },
        {
          "url": "https://<**masked**>/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY",
          "hostname": "<**masked**>",
          "port": "443",
          "addressesResolved": [
            "<**masked**>"
          ],
          "addressUsed": "<**masked**>"
        }
      ],
      "validated": "2021-12-02T15:54:38Z"
    }
  ]
}
2021-12-02 15:54:39,526:DEBUG:acme.client:Storing nonce: <**masked**>
2021-12-02 15:54:39,526:INFO:certbot._internal.auth_handler:Challenge failed for domain <**masked**>
2021-12-02 15:54:39,526:INFO:certbot._internal.auth_handler:http-01 challenge for <**masked**>
2021-12-02 15:54:39,526:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: <**masked**>
  Type:   connection
  Detail: Fetching https://<**masked**>/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2021-12-02 15:54:39,527:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-12-02 15:54:39,527:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-12-02 15:54:39,527:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-12-02 15:54:39,527:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY
2021-12-02 15:54:39,527:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-12-02 15:54:39,528:ERROR:certbot._internal.renewal:Failed to renew certificate npm-3 with error: Some challenges have failed.
2021-12-02 15:54:39,529:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 475, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1386, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 122, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 335, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 389, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-12-02 15:54:39,529:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-12-02 15:54:39,529:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2021-12-02 15:54:39,529:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
2021-12-02 15:54:39,529:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-12-02 15:54:39,529:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1460, in renew
    renewal.handle_renewal_request(config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 501, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2021-12-02 15:54:39,530:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

@Mystery-X commented on GitHub (Dec 2, 2021): It's not the full, but it contains the proof that it failed to access the file needed todo the verification. ``` 2021-12-02 15:54:39,525:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/<**masked**> HTTP/1.1" 200 1353 2021-12-02 15:54:39,526:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Thu, 02 Dec 2021 15:54:39 GMT Content-Type: application/json Content-Length: 1353 Connection: keep-alive Boulder-Requester: 122098528 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0101KB-iImdk_v4_E8qeaJBpzYY_-RvkALfB9wFV7ilE8Gc X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "identifier": { "type": "dns", "value": "<**masked**>" }, "status": "invalid", "expires": "2021-12-09T15:54:37Z", "challenges": [ { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching https://<**masked**>/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY: Error getting validation data", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/<**masked**>/<**masked**>", "token": "lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY", "validationRecord": [ { "url": "http://<**masked**>/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY", "hostname": "<**masked**>", "port": "80", "addressesResolved": [ "<**masked**>" ], "addressUsed": "<**masked**>" }, { "url": "https://<**masked**>/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY", "hostname": "<**masked**>", "port": "443", "addressesResolved": [ "<**masked**>" ], "addressUsed": "<**masked**>" } ], "validated": "2021-12-02T15:54:38Z" } ] } 2021-12-02 15:54:39,526:DEBUG:acme.client:Storing nonce: <**masked**> 2021-12-02 15:54:39,526:INFO:certbot._internal.auth_handler:Challenge failed for domain <**masked**> 2021-12-02 15:54:39,526:INFO:certbot._internal.auth_handler:http-01 challenge for <**masked**> 2021-12-02 15:54:39,526:DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: <**masked**> Type: connection Detail: Fetching https://<**masked**>/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY: Error getting validation data Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. 2021-12-02 15:54:39,527:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2021-12-02 15:54:39,527:DEBUG:certbot._internal.error_handler:Calling registered functions 2021-12-02 15:54:39,527:INFO:certbot._internal.auth_handler:Cleaning up challenges 2021-12-02 15:54:39,527:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/lKn4ocQjD6nyrS2_SZbE-Gw32s6uedE-jAo4mTYAcdY 2021-12-02 15:54:39,527:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up 2021-12-02 15:54:39,528:ERROR:certbot._internal.renewal:Failed to renew certificate npm-3 with error: Some challenges have failed. 2021-12-02 15:54:39,529:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 475, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1386, in renew_cert renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 122, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 335, in renew_cert new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 389, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2021-12-02 15:54:39,529:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2021-12-02 15:54:39,529:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed: 2021-12-02 15:54:39,529:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/npm-3/fullchain.pem (failure) 2021-12-02 15:54:39,529:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2021-12-02 15:54:39,529:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/certbot/bin/certbot", line 8, in <module> sys.exit(main()) File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 15, in main return internal_main.main(cli_args) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1574, in main return config.func(config, plugins) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1460, in renew renewal.handle_renewal_request(config) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 501, in handle_renewal_request len(renew_failures), len(parse_failures))) certbot.errors.Error: 1 renew failure(s), 0 parse failure(s) 2021-12-02 15:54:39,530:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s) ```

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@chaptergy commented on GitHub (Dec 2, 2021):

Are you using cloudflare? Does the same error occur if you disable cloudflare?

@chaptergy commented on GitHub (Dec 2, 2021): Are you using cloudflare? Does the same error occur if you disable cloudflare?

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@Mystery-X commented on GitHub (Dec 2, 2021):

No there is no cloudflare.
But due to your question I think I start to have an idea what's going on...
NPM is serving this website for internal use only on port 443, I've only opened port 80 to the outside because I was hopeing this was enought (like certbot) to fetch an SSL cert.
But I guess if you enable "Force SSL" it doesn't care if the traffic is going to /.well-known/acme-challenge or not, but instead redirects it always to the SSL port.

@Mystery-X commented on GitHub (Dec 2, 2021): No there is no cloudflare. But due to your question I think I start to have an idea what's going on... NPM is serving this website for internal use only on port 443, I've only opened port 80 to the outside because I was hopeing this was enought (like certbot) to fetch an SSL cert. But I guess if you enable "Force SSL" it doesn't care if the traffic is going to /.well-known/acme-challenge or not, but instead redirects it always to the SSL port.

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@Strugglechen1337 commented on GitHub (Dec 6, 2021):

Hello, i get this if i try to make a new certificate for my nginx proxy manager proxy host

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-14" --agree-tos --authenticator webroot --email "" --preferred-challenges "dns,http" --domains ""
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (child_process.js:308:12)
at ChildProcess.emit (events.js:314:20)
at maybeClose (internal/child_process.js:1022:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

can someone help me?
I use nginx proxy manager as docker version on unraid

@Strugglechen1337 commented on GitHub (Dec 6, 2021): Hello, i get this if i try to make a new certificate for my nginx proxy manager proxy host Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-14" --agree-tos --authenticator webroot --email "" --preferred-challenges "dns,http" --domains "" Saving debug log to /var/log/letsencrypt/letsencrypt.log An unexpected error occurred: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/ Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1022:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5) can someone help me? I use nginx proxy manager as docker version on unraid

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@robertorubioguardia commented on GitHub (Dec 9, 2021):

Hi,

Same here, but not just when force SSL is active but all the time. Can't generate nor renew SSL certificates.

Any help will be gratefully thanked.

app_1  | [12/9/2021] [9:12:17 PM] [Nginx    ] › ℹ  info      Reloading Nginx
app_1  | [12/9/2021] [9:12:17 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #92: keylor.srhosting.net
app_1  | [12/9/2021] [9:12:17 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-92" --agree-tos --authenticator webroot --email "soporte@servidoresrapidos.net" --preferred-challenges "dns,http" --domains "keylor.srhosting.net"
app_1  | [12/9/2021] [9:12:17 PM] [Nginx    ] › ℹ  info      Reloading Nginx
app_1  | [12/9/2021] [9:12:18 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-92" --agree-tos --authenticator webroot --email "soporte@servidoresrapidos.net" --preferred-challenges "dns,http" --domains "keylor.srhosting.net"
app_1  | Another instance of Certbot is already running.
app_1  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmpyddaiksx/log or re-run Certbot with -v for more details.

@robertorubioguardia commented on GitHub (Dec 9, 2021): Hi, Same here, but not just when force SSL is active but all the time. Can't generate nor renew SSL certificates. Any help will be gratefully thanked. ``` app_1 | [12/9/2021] [9:12:17 PM] [Nginx ] › ℹ info Reloading Nginx app_1 | [12/9/2021] [9:12:17 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #92: keylor.srhosting.net app_1 | [12/9/2021] [9:12:17 PM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-92" --agree-tos --authenticator webroot --email "soporte@servidoresrapidos.net" --preferred-challenges "dns,http" --domains "keylor.srhosting.net" app_1 | [12/9/2021] [9:12:17 PM] [Nginx ] › ℹ info Reloading Nginx app_1 | [12/9/2021] [9:12:18 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-92" --agree-tos --authenticator webroot --email "soporte@servidoresrapidos.net" --preferred-challenges "dns,http" --domains "keylor.srhosting.net" app_1 | Another instance of Certbot is already running. app_1 | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmpyddaiksx/log or re-run Certbot with -v for more details. ```

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@the1ts commented on GitHub (Dec 14, 2021):

I don''t believe that force SSL is pushing /well-known/acme-challenge to SSL. I'm able to get the configured 404 error when hitting that path on HTTP as is done by the letsencrypt-acme-challenge.conf, any path outside that does redirect to SSL.

It may look like its forcing that URL to SSL if HSTS is turned on and your browser caches that first. This would not be the case for letsencrypt hitting your website for the challenge since its not designed for SSL communications but just plain HTTP so would ignore the HSTS header leaving it on the HTTP connection.

@the1ts commented on GitHub (Dec 14, 2021): I don''t believe that force SSL is pushing /well-known/acme-challenge to SSL. I'm able to get the configured 404 error when hitting that path on HTTP as is done by the letsencrypt-acme-challenge.conf, any path outside that does redirect to SSL. It may look like its forcing that URL to SSL if HSTS is turned on and your browser caches that first. This would not be the case for letsencrypt hitting your website for the challenge since its not designed for SSL communications but just plain HTTP so would ignore the HSTS header leaving it on the HTTP connection.

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@erdoukki commented on GitHub (Dec 31, 2021):

Same for me (at first)...!
I have checked twice all the Firewall / router redirection to my docker NPM / NextCloud...
I have now the check availability working (and green)...
But too much try on certificate renewal make it postpone... will try later

@erdoukki commented on GitHub (Dec 31, 2021): Same for me (at first)...! I have checked twice all the Firewall / router redirection to my docker NPM / NextCloud... I have now the check availability working (and green)... But too much try on certificate renewal make it postpone... will try later

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@Schlumpf9 commented on GitHub (Apr 26, 2022):

I have the same problem. When turning on force SSL then Certbot is not able to renew the certificate:

2022-04-26 06:56:14,572:INFO:certbot._internal.auth_handler:Challenge failed for domain XY
2022-04-26 06:56:14,572:INFO:certbot._internal.auth_handler:http-01 challenge for XY
2022-04-26 06:56:14,572:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: XY
Type: connection
Detail: IP: Fetching https://XY/well-known/acme-challenge/lqC8CqFhvzDci89waVFP_4-GgUWqqh273mA6Plv5naI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2022-04-26 06:56:14,572:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-04-26 06:56:14,572:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-04-26 06:56:14,572:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-04-26 06:56:14,572:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/lqC8CqFhvzDci89waVFP_4-GgUWqqh273mA6Plv5naI
2022-04-26 06:56:14,573:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2022-04-26 06:56:14,573:ERROR:certbot._internal.renewal:Failed to renew certificate npm-9 with error: Some challenges have failed.
2022-04-26 06:56:14,573:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 485, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1441, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 127, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 345, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 424, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 476, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

If i connect to the container and try to curl https://XY/well-known/acme-challenge/lqC8CqFhvzDci89waVFP_4-GgUWqqh273mA6Plv5naI I receive a 404 error so there is no firewall issue there. Requesting http will response with a redirect 301. If i turn off force SSL for the specific domain and try to renew the certificate everything works. So i can definitely agree that forcing SSL prevents certbot from cert renewal... Really annoying -.-

@Schlumpf9 commented on GitHub (Apr 26, 2022): I have the same problem. When turning on `force SSL` then Certbot is not able to renew the certificate: > 2022-04-26 06:56:14,572:INFO:certbot._internal.auth_handler:Challenge failed for domain XY > 2022-04-26 06:56:14,572:INFO:certbot._internal.auth_handler:http-01 challenge for XY > 2022-04-26 06:56:14,572:DEBUG:certbot._internal.display.obj:Notifying user: > Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: > Domain: XY > Type: connection > Detail: IP: Fetching https://XY/well-known/acme-challenge/lqC8CqFhvzDci89waVFP_4-GgUWqqh273mA6Plv5naI: Timeout during connect (likely firewall problem) > > Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. > > 2022-04-26 06:56:14,572:DEBUG:certbot._internal.error_handler:Encountered exception: > Traceback (most recent call last): > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations > self._poll_authorizations(authzrs, max_retries, best_effort) > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations > raise errors.AuthorizationError('Some challenges have failed.') > certbot.errors.AuthorizationError: Some challenges have failed. > > 2022-04-26 06:56:14,572:DEBUG:certbot._internal.error_handler:Calling registered functions > 2022-04-26 06:56:14,572:INFO:certbot._internal.auth_handler:Cleaning up challenges > 2022-04-26 06:56:14,572:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/lqC8CqFhvzDci89waVFP_4-GgUWqqh273mA6Plv5naI > 2022-04-26 06:56:14,573:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up > 2022-04-26 06:56:14,573:ERROR:certbot._internal.renewal:Failed to renew certificate npm-9 with error: Some challenges have failed. > 2022-04-26 06:56:14,573:DEBUG:certbot._internal.renewal:Traceback was: > Traceback (most recent call last): > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 485, in handle_renewal_request > main.renew_cert(lineage_config, plugins, renewal_candidate) > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1441, in renew_cert > renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage) > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 127, in _get_and_save_cert > renewal.renew_cert(config, domains, le_client, lineage) > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 345, in renew_cert > new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key) > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 424, in obtain_certificate > orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 476, in _get_order_and_authorizations > authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations > self._poll_authorizations(authzrs, max_retries, best_effort) > File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations > raise errors.AuthorizationError('Some challenges have failed.') > certbot.errors.AuthorizationError: Some challenges have failed. If i connect to the container and try to curl https://XY/well-known/acme-challenge/lqC8CqFhvzDci89waVFP_4-GgUWqqh273mA6Plv5naI I receive a 404 error so there is no firewall issue there. Requesting http will response with a redirect 301. If i turn off force SSL for the specific domain and try to renew the certificate everything works. So i can definitely agree that forcing SSL prevents certbot from cert renewal... Really annoying -.-

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@AtryFox commented on GitHub (May 4, 2022):

I have the same issue here, exactly as described above. As soon as I disable "Force SSL", renewing my certificates works without issues. The renew mechanism should disable "Force SSL" temporarily or add the /well-known/acme-challange/... path as a default rule where SSL is not forced.

@AtryFox commented on GitHub (May 4, 2022): I have the same issue here, exactly as described above. As soon as I disable "Force SSL", renewing my certificates works without issues. The renew mechanism should disable "Force SSL" temporarily or add the /well-known/acme-challange/... path as a default rule where SSL is not forced.

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@the1ts commented on GitHub (May 4, 2022):

I did notice one difference in config over time. The include of force-ssl.conf is in the server section for newly created hosts, but in the location / section for older hosts. I can break currently working proxy hosts by moving the force-ssl.conf include into the server section, outside the location / section.
This change was in #1017, which fixes the custom locations ignoring the force-ssl.conf but appears to override the specific letsencrypt exception to force-ssl.
Therefore, I think the test for redirect needs to test both $scheme = "http" and not contains /.well-known/acme-challenge/
As you can't do multiple conditions in one if or nest them, I think this can be done with setting a variable on $scheme = http to H and concatenating a D to the same variable if outside /.well-known/acme-challenge/ so only do the return 301 if the variable = HD.

So we would have:

HTTP and letsencrypt ("H") don't redirect
HTTP and not letsencrypt ("HD") redirect
HTTPS and letsencrypt ("") don't redirect (already HTTPS)
HTTPS and not letsencrypt ("D") don't redirect (already HTTPS)

Guessing here, but we don't see this issues at first creation since the default_host is hit until the cert is obtained and the proxy_host config is written and nginx HUP'd.

@the1ts commented on GitHub (May 4, 2022): I did notice one difference in config over time. The include of force-ssl.conf is in the server section for newly created hosts, but in the location / section for older hosts. I can break currently working proxy hosts by moving the force-ssl.conf include into the server section, outside the location / section. This change was in #1017, which fixes the custom locations ignoring the force-ssl.conf but appears to override the specific letsencrypt exception to force-ssl. Therefore, I think the test for redirect needs to test both $scheme = "http" and not contains /.well-known/acme-challenge/ As you can't do multiple conditions in one if or nest them, I think this can be done with setting a variable on $scheme = http to H and concatenating a D to the same variable if outside /.well-known/acme-challenge/ so only do the return 301 if the variable = HD. So we would have: 1. HTTP and letsencrypt ("H") don't redirect 2. HTTP and not letsencrypt ("HD") redirect 3. HTTPS and letsencrypt ("") don't redirect (already HTTPS) 4. HTTPS and not letsencrypt ("D") don't redirect (already HTTPS) Guessing here, but we don't see this issues at first creation since the default_host is hit until the cert is obtained and the proxy_host config is written and nginx HUP'd.

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@n0bbi commented on GitHub (May 12, 2022):

Same here, if "Force SSL" is enabled, i'm not able to renew the letsencrypt-certificate.

@n0bbi commented on GitHub (May 12, 2022): Same here, if "Force SSL" is enabled, i'm not able to renew the letsencrypt-certificate.

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@Schlumpf9 commented on GitHub (May 29, 2022):

+1

@Schlumpf9 commented on GitHub (May 29, 2022): +1

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@lazerlabs commented on GitHub (Jun 5, 2022):

+1

@lazerlabs commented on GitHub (Jun 5, 2022): +1

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@lovetox commented on GitHub (Jun 11, 2022):

Disabling Force SSL fixed this problem also for me

@lovetox commented on GitHub (Jun 11, 2022): Disabling `Force SSL` fixed this problem also for me

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@andriuch commented on GitHub (Aug 25, 2022):

Hi
Same here, I'm trying to create a new Letsencrypt certificate, with and without Force SSL checked, respond with Internal Server Error, in Nginx Proxy Manager Log is wrote:

[8/25/2022] [1:34:58 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #4: ********.duckdns.org
[8/25/2022] [1:34:58 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-4" --agree-tos --authenticator webroot --email "****@***.com" --preferred-challenges "dns,http" --domains "********.duckdns.org" 
[8/25/2022] [1:35:22 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[8/25/2022] [1:35:22 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-4" --agree-tos --authenticator webroot --email "****@***.com" --preferred-challenges "dns,http" --domains "********.duckdns.org" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I can't find the logfile /data/logs/letsencrypt/letsencrypt.log

@andriuch commented on GitHub (Aug 25, 2022): Hi Same here, I'm trying to create a new Letsencrypt certificate, with and without Force SSL checked, respond with Internal Server Error, in Nginx Proxy Manager Log is wrote: ``` [8/25/2022] [1:34:58 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #4: ********.duckdns.org [8/25/2022] [1:34:58 PM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-4" --agree-tos --authenticator webroot --email "****@***.com" --preferred-challenges "dns,http" --domains "********.duckdns.org" [8/25/2022] [1:35:22 PM] [Nginx ] › ℹ info Reloading Nginx [8/25/2022] [1:35:22 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-4" --agree-tos --authenticator webroot --email "****@***.com" --preferred-challenges "dns,http" --domains "********.duckdns.org" Saving debug log to /data/logs/letsencrypt/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ``` I can't find the logfile /data/logs/letsencrypt/letsencrypt.log

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@Schlumpf9 commented on GitHub (Sep 9, 2022):

Annoying hat this central functionality is still broken :/

@Schlumpf9 commented on GitHub (Sep 9, 2022): Annoying hat this central functionality is still broken :/

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@EDIflyer commented on GitHub (Oct 2, 2022):

Any thoughts on this @jc21 or others? All my subdomain certs are now up for renewal including the one to access npm itself and all are failing...

10/01/2022 7:26:31 PM
[10/2/2022] [2:26:31 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
10/01/2022 7:31:10 PM
[10/2/2022] [2:31:10 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
10/01/2022 7:31:10 PM
Failed to renew certificate npm-1 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-10 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-11 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-2 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-3 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-4 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-5 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-6 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-7 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-8 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
Failed to renew certificate npm-9 with error: Some challenges have failed.
10/01/2022 7:31:10 PM
All renewals failed. The following certificates could not be renewed:
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-10/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-11/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-4/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-5/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-6/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-7/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-8/fullchain.pem (failure)
10/01/2022 7:31:10 PM
  /etc/letsencrypt/live/npm-9/fullchain.pem (failure)
10/01/2022 7:31:10 PM
11 renew failure(s), 0 parse failure(s)
10/01/2022 7:31:10 PM
10/01/2022 7:31:10 PM
    at ChildProcess.exithandler (node:child_process:399:12)
10/01/2022 7:31:10 PM
    at ChildProcess.emit (node:events:526:28)
10/01/2022 7:31:10 PM
    at maybeClose (node:internal/child_process:1092:16)
10/01/2022 7:31:10 PM
    at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

EDIT: eventually managed to get back into the npm website (blocked by Chrome due to invalid cert, but Firefox let me bypass the warning) and switching off Force SSL let me renew OK, but with 12 sites it's quite a pain to toggle off, renew, then toggle back on!

@EDIflyer commented on GitHub (Oct 2, 2022): Any thoughts on this @jc21 or others? All my subdomain certs are now up for renewal including the one to access npm itself and all are failing... ``` 10/01/2022 7:26:31 PM [10/2/2022] [2:26:31 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... 10/01/2022 7:31:10 PM [10/2/2022] [2:31:10 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation 10/01/2022 7:31:10 PM Failed to renew certificate npm-1 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-10 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-11 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-2 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-3 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-4 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-5 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-6 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-7 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-8 with error: Some challenges have failed. 10/01/2022 7:31:10 PM Failed to renew certificate npm-9 with error: Some challenges have failed. 10/01/2022 7:31:10 PM All renewals failed. The following certificates could not be renewed: 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-10/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-11/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-2/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-3/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-4/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-5/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-6/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-7/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-8/fullchain.pem (failure) 10/01/2022 7:31:10 PM /etc/letsencrypt/live/npm-9/fullchain.pem (failure) 10/01/2022 7:31:10 PM 11 renew failure(s), 0 parse failure(s) 10/01/2022 7:31:10 PM 10/01/2022 7:31:10 PM at ChildProcess.exithandler (node:child_process:399:12) 10/01/2022 7:31:10 PM at ChildProcess.emit (node:events:526:28) 10/01/2022 7:31:10 PM at maybeClose (node:internal/child_process:1092:16) 10/01/2022 7:31:10 PM at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5) ``` EDIT: eventually managed to get back into the npm website (blocked by Chrome due to invalid cert, but Firefox let me bypass the warning) and switching off Force SSL let me renew OK, but with 12 sites it's quite a pain to toggle off, renew, then toggle back on!

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@JulsSkogs commented on GitHub (Nov 17, 2022):

I am also experiencing this issue, but even disabling Force SSL changes nothing. I'll try to get a log tomorrow.

@JulsSkogs commented on GitHub (Nov 17, 2022): I am also experiencing this issue, but even disabling Force SSL changes nothing. I'll try to get a log tomorrow.

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@EDIflyer commented on GitHub (Dec 11, 2022):

So interestingly using :latest I'm still having issues renewing certs but have tried deleting some that wouldn't renew and re-requesting them - they now seem to be renewing OK. Will take a while to re-do them all though!

@EDIflyer commented on GitHub (Dec 11, 2022): So interestingly using :latest I'm still having issues renewing certs but have tried deleting some that wouldn't renew and re-requesting them - they now seem to be renewing OK. Will take a while to re-do them all though!

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@pierluigizagaria commented on GitHub (Jan 10, 2023):

Still having this issue, cannot renew my certificates

@pierluigizagaria commented on GitHub (Jan 10, 2023): Still having this issue, cannot renew my certificates

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@EDIflyer commented on GitHub (Jan 20, 2023):

I'm now having this issue on another site too. If I delete and recreate they seem to work but renewal has been failing.

Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
Failed to renew certificate npm-7 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-7/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
[1/20/2023] [1:27:15 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[1/20/2023] [1:32:20 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Some challenges have failed.
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
Failed to renew certificate npm-7 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-7/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
[1/20/2023] [2:27:15 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[1/20/2023] [2:35:58 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Some challenges have failed.
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
Failed to renew certificate npm-7 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-7/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
[1/20/2023] [3:27:15 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[1/20/2023] [3:31:33 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Some challenges have failed.
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
Failed to renew certificate npm-7 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-7/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
[1/20/2023] [4:22:52 AM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #1: npm.***
[1/20/2023] [4:22:52 AM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[1/20/2023] [4:23:18 AM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to renew certificate npm-1 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[1/20/2023] [4:24:04 AM] [SSL      ] › ℹ  info      Revoking Let'sEncrypt certificates for Cert #2: logs.***
[1/20/2023] [4:24:04 AM] [SSL      ] › ℹ  info      Command: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-2/fullchain.pem" --delete-after-revoke ; rm -f '/etc/letsencrypt/credentials/credentials-2' || true
[1/20/2023] [4:24:06 AM] [SSL      ] › ℹ  info      Deleted all files relating to certificate npm-2.
Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/npm-2/fullchain.pem.
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
[1/20/2023] [4:24:22 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/20/2023] [4:24:27 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #8: logs.***
[1/20/2023] [4:24:27 AM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-8" --agree-tos --authenticator webroot --email "webmaster@***" --preferred-challenges "dns,http" --domains "***" 
[1/20/2023] [4:24:44 AM] [SSL      ] › ✔  success   Requesting a certificate for npm.***
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/npm-8/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/npm-8/privkey.pem
This certificate expires on 2023-04-20.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[1/20/2023] [4:24:44 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/20/2023] [4:24:45 AM] [Nginx    ] › ℹ  info      Reloading Nginx

@jc21 would really appreciate any help here - I keep on having to delete and recreate certs from scratch which with lots of subdomains can take quite a while! Weirdly the other site where I recreated them still seems to be renewing OK?

@EDIflyer commented on GitHub (Jan 20, 2023): I'm now having this issue on another site too. If I delete and recreate they seem to work but renewal has been failing. ``` Failed to renew certificate npm-2 with error: Some challenges have failed. Failed to renew certificate npm-3 with error: Some challenges have failed. Failed to renew certificate npm-7 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-3/fullchain.pem (failure) /etc/letsencrypt/live/npm-7/fullchain.pem (failure) 4 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [1/20/2023] [1:27:15 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [1/20/2023] [1:32:20 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Some challenges have failed. Failed to renew certificate npm-2 with error: Some challenges have failed. Failed to renew certificate npm-3 with error: Some challenges have failed. Failed to renew certificate npm-7 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-3/fullchain.pem (failure) /etc/letsencrypt/live/npm-7/fullchain.pem (failure) 4 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [1/20/2023] [2:27:15 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [1/20/2023] [2:35:58 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Some challenges have failed. Failed to renew certificate npm-2 with error: Some challenges have failed. Failed to renew certificate npm-3 with error: Some challenges have failed. Failed to renew certificate npm-7 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-3/fullchain.pem (failure) /etc/letsencrypt/live/npm-7/fullchain.pem (failure) 4 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [1/20/2023] [3:27:15 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [1/20/2023] [3:31:33 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Some challenges have failed. Failed to renew certificate npm-2 with error: Some challenges have failed. Failed to renew certificate npm-3 with error: Some challenges have failed. Failed to renew certificate npm-7 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-3/fullchain.pem (failure) /etc/letsencrypt/live/npm-7/fullchain.pem (failure) 4 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [1/20/2023] [4:22:52 AM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #1: npm.*** [1/20/2023] [4:22:52 AM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation [1/20/2023] [4:23:18 AM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Failed to renew certificate npm-1 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. [1/20/2023] [4:24:04 AM] [SSL ] › ℹ info Revoking Let'sEncrypt certificates for Cert #2: logs.*** [1/20/2023] [4:24:04 AM] [SSL ] › ℹ info Command: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-2/fullchain.pem" --delete-after-revoke ; rm -f '/etc/letsencrypt/credentials/credentials-2' || true [1/20/2023] [4:24:06 AM] [SSL ] › ℹ info Deleted all files relating to certificate npm-2. Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/npm-2/fullchain.pem. Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0 [1/20/2023] [4:24:22 AM] [Nginx ] › ℹ info Reloading Nginx [1/20/2023] [4:24:27 AM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #8: logs.*** [1/20/2023] [4:24:27 AM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-8" --agree-tos --authenticator webroot --email "webmaster@***" --preferred-challenges "dns,http" --domains "***" [1/20/2023] [4:24:44 AM] [SSL ] › ✔ success Requesting a certificate for npm.*** Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/npm-8/fullchain.pem Key is saved at: /etc/letsencrypt/live/npm-8/privkey.pem This certificate expires on 2023-04-20. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [1/20/2023] [4:24:44 AM] [Nginx ] › ℹ info Reloading Nginx [1/20/2023] [4:24:45 AM] [Nginx ] › ℹ info Reloading Nginx ``` @jc21 would really appreciate any help here - I keep on having to delete and recreate certs from scratch which with lots of subdomains can take quite a while! Weirdly the other site where I recreated them still seems to be renewing OK?

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@EDIflyer commented on GitHub (Jan 20, 2023):

There also seems to be an issue when deleting certificates too (from within the interface!) as end up with these sorts of errors:

01/20/2023 12:34:54 PM
[1/20/2023] [4:34:54 AM] [Express  ] › ⚠  warning   Command failed: /usr/sbin/nginx -t -g "error_log off;"
01/20/2023 12:34:54 PM
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-3/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-3/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
01/20/2023 12:34:54 PM
nginx: configuration file /etc/nginx/nginx.conf test failed
01/20/2023 12:34:54 PM
01/20/2023 12:34:58 PM
[1/20/2023] [4:34:58 AM] [Express  ] › ⚠  warning   Command failed: /usr/sbin/nginx -t -g "error_log off;"
01/20/2023 12:34:58 PM
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-3/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-3/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
01/20/2023 12:34:58 PM
nginx: configuration file /etc/nginx/nginx.conf test failed
01/20/2023 12:34:58 PM
01/20/2023 12:35:35 PM
[1/20/2023] [4:35:35 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
01/20/2023 12:35:35 PM
Failed to renew certificate npm-1 with error: Some challenges have failed.
01/20/2023 12:35:35 PM
Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken.
01/20/2023 12:35:35 PM
The error was: renewal config file {} is missing a required file reference
01/20/2023 12:35:35 PM
Skipping.
01/20/2023 12:35:35 PM
Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf is broken.
01/20/2023 12:35:35 PM
The error was: renewal config file {} is missing a required file reference
01/20/2023 12:35:35 PM
Skipping.
01/20/2023 12:35:35 PM
Renewal configuration file /etc/letsencrypt/renewal/npm-7.conf is broken.
01/20/2023 12:35:35 PM
The error was: renewal config file {} is missing a required file reference
01/20/2023 12:35:35 PM
Skipping.
01/20/2023 12:35:35 PM
All renewals failed. The following certificates could not be renewed:
01/20/2023 12:35:35 PM
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
01/20/2023 12:35:35 PM
1 renew failure(s), 3 parse failure(s)
01/20/2023 12:35:35 PM
01/20/2023 12:35:35 PM
    at ChildProcess.exithandler (node:child_process:402:12)
01/20/2023 12:35:35 PM
    at ChildProcess.emit (node:events:513:28)
01/20/2023 12:35:35 PM
    at maybeClose (node:internal/child_process:1100:16)
01/20/2023 12:35:35 PM
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
01/20/2023 12:35:49 PM
[1/20/2023] [4:35:49 AM] [Express  ] › ⚠  warning   Command failed: /usr/sbin/nginx -t -g "error_log off;"
01/20/2023 12:35:49 PM
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-3/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-3/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
01/20/2023 12:35:49 PM
nginx: configuration file /etc/nginx/nginx.conf test failed

I've found copying existing good directories across to the missing ones then allows re-creation but it seems like the nginx config isn't updated when a cert is deleted? Workaround seems to be to create a new certificate and then delete the old one.

@EDIflyer commented on GitHub (Jan 20, 2023): There also seems to be an issue when deleting certificates too **(from within the interface!)** as end up with these sorts of errors: ``` 01/20/2023 12:34:54 PM [1/20/2023] [4:34:54 AM] [Express ] › ⚠ warning Command failed: /usr/sbin/nginx -t -g "error_log off;" 01/20/2023 12:34:54 PM nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-3/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-3/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) 01/20/2023 12:34:54 PM nginx: configuration file /etc/nginx/nginx.conf test failed 01/20/2023 12:34:54 PM 01/20/2023 12:34:58 PM [1/20/2023] [4:34:58 AM] [Express ] › ⚠ warning Command failed: /usr/sbin/nginx -t -g "error_log off;" 01/20/2023 12:34:58 PM nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-3/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-3/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) 01/20/2023 12:34:58 PM nginx: configuration file /etc/nginx/nginx.conf test failed 01/20/2023 12:34:58 PM 01/20/2023 12:35:35 PM [1/20/2023] [4:35:35 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation 01/20/2023 12:35:35 PM Failed to renew certificate npm-1 with error: Some challenges have failed. 01/20/2023 12:35:35 PM Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken. 01/20/2023 12:35:35 PM The error was: renewal config file {} is missing a required file reference 01/20/2023 12:35:35 PM Skipping. 01/20/2023 12:35:35 PM Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf is broken. 01/20/2023 12:35:35 PM The error was: renewal config file {} is missing a required file reference 01/20/2023 12:35:35 PM Skipping. 01/20/2023 12:35:35 PM Renewal configuration file /etc/letsencrypt/renewal/npm-7.conf is broken. 01/20/2023 12:35:35 PM The error was: renewal config file {} is missing a required file reference 01/20/2023 12:35:35 PM Skipping. 01/20/2023 12:35:35 PM All renewals failed. The following certificates could not be renewed: 01/20/2023 12:35:35 PM /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 01/20/2023 12:35:35 PM 1 renew failure(s), 3 parse failure(s) 01/20/2023 12:35:35 PM 01/20/2023 12:35:35 PM at ChildProcess.exithandler (node:child_process:402:12) 01/20/2023 12:35:35 PM at ChildProcess.emit (node:events:513:28) 01/20/2023 12:35:35 PM at maybeClose (node:internal/child_process:1100:16) 01/20/2023 12:35:35 PM at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) 01/20/2023 12:35:49 PM [1/20/2023] [4:35:49 AM] [Express ] › ⚠ warning Command failed: /usr/sbin/nginx -t -g "error_log off;" 01/20/2023 12:35:49 PM nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-3/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-3/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) 01/20/2023 12:35:49 PM nginx: configuration file /etc/nginx/nginx.conf test failed ``` I've found copying existing good directories across to the missing ones then allows re-creation but it seems like the nginx config isn't updated when a cert is deleted? Workaround seems to be to create a new certificate and then delete the old one.

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@EDIflyer commented on GitHub (Feb 12, 2023):

Any update on this @jc21 ?

I'm running two servers and one of them seems to be OK...

12/02/2023 10:27:15
[2/12/2023] [10:27:15 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
12/02/2023 10:27:18
[2/12/2023] [10:27:18 AM] [Nginx    ] › ℹ  info      Reloading Nginx
12/02/2023 10:27:18
[2/12/2023] [10:27:18 AM] [SSL      ] › ℹ  info      Renew Complete
12/02/2023 11:27:14
[2/12/2023] [11:27:14 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
12/02/2023 11:27:14
[2/12/2023] [11:27:14 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
12/02/2023 11:27:14
[2/12/2023] [11:27:14 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
12/02/2023 11:27:14
[2/12/2023] [11:27:14 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
12/02/2023 11:27:14
[2/12/2023] [11:27:14 AM] [Nginx    ] › ℹ  info      Reloading Nginx
12/02/2023 11:27:15
[2/12/2023] [11:27:15 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
12/02/2023 11:27:16
[2/12/2023] [11:27:16 AM] [Nginx    ] › ℹ  info      Reloading Nginx
12/02/2023 11:27:17
[2/12/2023] [11:27:17 AM] [SSL      ] › ℹ  info      Renew Complete

The other still has errors...

12/02/2023 12:05:46
Failed to renew certificate npm-17 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-18 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-26 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-29 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-30 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-31 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-32 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-33 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-34 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-35 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-36 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-37 with error: Some challenges have failed.
12/02/2023 12:05:46
Failed to renew certificate npm-38 with error: Some challenges have failed.
12/02/2023 12:05:46
All renewals failed. The following certificates could not be renewed:
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-17/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-18/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-26/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-29/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-30/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-31/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-32/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-33/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-34/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-35/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-36/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-37/fullchain.pem (failure)
12/02/2023 12:05:46
  /etc/letsencrypt/live/npm-38/fullchain.pem (failure)
12/02/2023 12:05:46
13 renew failure(s), 0 parse failure(s)
12/02/2023 12:05:46
12/02/2023 12:05:46
    at ChildProcess.exithandler (node:child_process:402:12)
12/02/2023 12:05:46
    at ChildProcess.emit (node:events:513:28)
12/02/2023 12:05:46
    at maybeClose (node:internal/child_process:1100:16)
12/02/2023 12:05:46
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Yet it was the other way round previously. It's like they get stuck renewing at some point and then that's it!

@EDIflyer commented on GitHub (Feb 12, 2023): Any update on this @jc21 ? I'm running two servers and one of them seems to be OK... ``` 12/02/2023 10:27:15 [2/12/2023] [10:27:15 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... 12/02/2023 10:27:18 [2/12/2023] [10:27:18 AM] [Nginx ] › ℹ info Reloading Nginx 12/02/2023 10:27:18 [2/12/2023] [10:27:18 AM] [SSL ] › ℹ info Renew Complete 12/02/2023 11:27:14 [2/12/2023] [11:27:14 AM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... 12/02/2023 11:27:14 [2/12/2023] [11:27:14 AM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json 12/02/2023 11:27:14 [2/12/2023] [11:27:14 AM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 12/02/2023 11:27:14 [2/12/2023] [11:27:14 AM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 12/02/2023 11:27:14 [2/12/2023] [11:27:14 AM] [Nginx ] › ℹ info Reloading Nginx 12/02/2023 11:27:15 [2/12/2023] [11:27:15 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... 12/02/2023 11:27:16 [2/12/2023] [11:27:16 AM] [Nginx ] › ℹ info Reloading Nginx 12/02/2023 11:27:17 [2/12/2023] [11:27:17 AM] [SSL ] › ℹ info Renew Complete ``` The other still has errors... ``` 12/02/2023 12:05:46 Failed to renew certificate npm-17 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-18 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-26 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-29 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-30 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-31 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-32 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-33 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-34 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-35 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-36 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-37 with error: Some challenges have failed. 12/02/2023 12:05:46 Failed to renew certificate npm-38 with error: Some challenges have failed. 12/02/2023 12:05:46 All renewals failed. The following certificates could not be renewed: 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-17/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-18/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-26/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-29/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-30/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-31/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-32/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-33/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-34/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-35/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-36/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-37/fullchain.pem (failure) 12/02/2023 12:05:46 /etc/letsencrypt/live/npm-38/fullchain.pem (failure) 12/02/2023 12:05:46 13 renew failure(s), 0 parse failure(s) 12/02/2023 12:05:46 12/02/2023 12:05:46 at ChildProcess.exithandler (node:child_process:402:12) 12/02/2023 12:05:46 at ChildProcess.emit (node:events:513:28) 12/02/2023 12:05:46 at maybeClose (node:internal/child_process:1100:16) 12/02/2023 12:05:46 at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) ``` Yet it was the other way round previously. It's like they get stuck renewing at some point and then that's it!

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Feb 29, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions[bot] commented on GitHub (Feb 29, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@rushhee commented on GitHub (Feb 29, 2024):

Did this ever get addressed?

On Thu, 29 Feb 2024, 12:48 pm github-actions[bot], @.***>
wrote:

Issue is now considered stale. If you want to keep it open, please comment
👍

—
Reply to this email directly, view it on GitHub
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1625#issuecomment-1970246539,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/A3I7NSSTCLIEX3YKTPE5TU3YV2EFLAVCNFSM5JHQ3PY2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJXGAZDINRVGM4Q
.
You are receiving this because you are subscribed to this thread.Message
ID: @.***
com>

@rushhee commented on GitHub (Feb 29, 2024): Did this ever get addressed? On Thu, 29 Feb 2024, 12:48 pm github-actions[bot], ***@***.***> wrote: > Issue is now considered stale. If you want to keep it open, please comment > 👍 > > — > Reply to this email directly, view it on GitHub > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1625#issuecomment-1970246539>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/A3I7NSSTCLIEX3YKTPE5TU3YV2EFLAVCNFSM5JHQ3PY2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJXGAZDINRVGM4Q> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.*** > com> >

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@gabrio79 commented on GitHub (Mar 23, 2024):

any news?

@gabrio79 commented on GitHub (Mar 23, 2024): any news?

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Dec 5, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions[bot] commented on GitHub (Dec 5, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@EDIflyer commented on GitHub (Dec 5, 2024):

Not fixed, awaiting #3121 to be merged in to fix.

@EDIflyer commented on GitHub (Dec 5, 2024): Not fixed, awaiting #3121 to be merged in to fix.

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@Dams51 commented on GitHub (Apr 7, 2025):

Still not fixed

@Dams51 commented on GitHub (Apr 7, 2025): Still not fixed

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@Duglim commented on GitHub (May 16, 2025):

Can confirm still not fixed.
Currently I have to manually deactivate "force SSL" on all proxy hosts, then manually renew all certificates and finally manually reactivate "force SSL" on all hosts.

Would be a great help, if this could be fixed. Not only to avoid the manual work, more I fear forgetting about this and running out of SSL...

Thx, Duglim

@Duglim commented on GitHub (May 16, 2025): Can confirm still not fixed. Currently I have to manually deactivate "force SSL" on all proxy hosts, then manually renew all certificates and finally manually reactivate "force SSL" on all hosts. Would be a great help, if this could be fixed. Not only to avoid the manual work, more I fear forgetting about this and running out of SSL... Thx, Duglim

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@EDIflyer commented on GitHub (May 16, 2025):

@Duglim might be worth trying my PR #3121 to save you having to keep manually deactivating/reactivating?

@EDIflyer commented on GitHub (May 16, 2025): @Duglim might be worth trying my PR #3121 to save you having to keep manually deactivating/reactivating?

kerem commented

2026-02-26 06:36:17 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Dec 6, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions[bot] commented on GitHub (Dec 6, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

Rows
Columns

[GH-ISSUE #1625] Internal error on SSL certificates when force SSL is active #1219