starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-26 01:45:54 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1816] Renew now on SSL Certificates page gives internal error #1340

New issue
Open
opened 2026-02-26 07:30:34 +03:00 by kerem · 35 comments
kerem commented 2026-02-26 07:30:34 +03:00
Owner
Copy link

Originally created by @gent99 on GitHub (Jan 27, 2022).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1816

I'm on v2.9.15 and have a problem with "renew now" on SSL Certificates tab. I get internal error. Tried with different certs for different proxy hosts. Need more info, then please tell me where to find the needed logs.

Originally created by @gent99 on GitHub (Jan 27, 2022). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1816 I'm on v2.9.15 and have a problem with "renew now" on SSL Certificates tab. I get internal error. Tried with different certs for different proxy hosts. Need more info, then please tell me where to find the needed logs.
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@H4nSolo commented on GitHub (Jan 28, 2022):

Here ist my Log about the Error:

......
2022-01-28T14:22:01.024729628Z [1/28/2022] [2:22:01 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
2022-01-28T14:22:01.029569645Z [1/28/2022] [2:22:01 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
2022-01-28T14:22:01.031130541Z [1/28/2022] [2:22:01 PM] [Global ] › ℹ info Backend PID 248 listening on port 3000 ...
2022-01-28T14:22:17.143438076Z QueryBuilder#allowEager method is deprecated. You should use allowGraph instead. allowEager method will be removed in 3.0
2022-01-28T14:22:17.144582592Z QueryBuilder#eager method is deprecated. You should use the withGraphFetched method instead. eager method will be removed in 3.0
2022-01-28T14:22:17.150001473Z QueryBuilder#omit is deprecated. This method will be removed in version 3.0
2022-01-28T14:22:17.151648151Z Model#$omit is deprected and will be removed in 3.0.
2022-01-28T14:22:57.515936923Z [1/28/2022] [2:22:57 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #10: domain.xx.xy
2022-01-28T14:22:57.515962942Z [1/28/2022] [2:22:57 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-10" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
2022-01-28T14:22:57.967649739Z [1/28/2022] [2:22:57 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-10" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
2022-01-28T14:22:57.967672762Z Another instance of Certbot is already running.
2022-01-28T14:22:57.967676078Z Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmp48pefxkd/log or re-run Certbot with -v for more details.
2022-01-28T14:22:57.967678303Z
2022-01-28T14:26:14.243601235Z [1/28/2022] [2:26:14 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
2022-01-28T14:26:14.243627765Z Failed to renew certificate npm-11 with error: Some challenges have failed.
2022-01-28T14:26:14.243631812Z All renewals failed. The following certificates could not be renewed:
2022-01-28T14:26:14.243634167Z /etc/letsencrypt/live/npm-11/fullchain.pem (failure)
2022-01-28T14:26:14.243636241Z 1 renew failure(s), 0 parse failure(s)
2022-01-28T14:26:14.243638555Z
2022-01-28T14:26:14.243640709Z at ChildProcess.exithandler (node:child_process:397:12)
2022-01-28T14:26:14.243642783Z at ChildProcess.emit (node:events:390:28)
2022-01-28T14:26:14.243644787Z at maybeClose (node:internal/child_process:1064:16)
2022-01-28T14:26:14.243646760Z at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)

<!-- gh-comment-id:1024276658 --> @H4nSolo commented on GitHub (Jan 28, 2022): Here ist my Log about the Error: >...... > 2022-01-28T14:22:01.024729628Z [1/28/2022] [2:22:01 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... > 2022-01-28T14:22:01.029569645Z [1/28/2022] [2:22:01 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized > 2022-01-28T14:22:01.031130541Z [1/28/2022] [2:22:01 PM] [Global ] › ℹ info Backend PID 248 listening on port 3000 ... > 2022-01-28T14:22:17.143438076Z `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0 > 2022-01-28T14:22:17.144582592Z `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0 > 2022-01-28T14:22:17.150001473Z QueryBuilder#omit is deprecated. This method will be removed in version 3.0 > 2022-01-28T14:22:17.151648151Z Model#$omit is deprected and will be removed in 3.0. > 2022-01-28T14:22:57.515936923Z [1/28/2022] [2:22:57 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #10: domain.xx.xy > 2022-01-28T14:22:57.515962942Z [1/28/2022] [2:22:57 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-10" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation > 2022-01-28T14:22:57.967649739Z [1/28/2022] [2:22:57 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-10" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation > 2022-01-28T14:22:57.967672762Z Another instance of Certbot is already running. > 2022-01-28T14:22:57.967676078Z Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmp48pefxkd/log or re-run Certbot with -v for more details. > 2022-01-28T14:22:57.967678303Z > 2022-01-28T14:26:14.243601235Z [1/28/2022] [2:26:14 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation > 2022-01-28T14:26:14.243627765Z Failed to renew certificate npm-11 with error: Some challenges have failed. > 2022-01-28T14:26:14.243631812Z All renewals failed. The following certificates could not be renewed: > 2022-01-28T14:26:14.243634167Z /etc/letsencrypt/live/npm-11/fullchain.pem (failure) > 2022-01-28T14:26:14.243636241Z 1 renew failure(s), 0 parse failure(s) > 2022-01-28T14:26:14.243638555Z > 2022-01-28T14:26:14.243640709Z at ChildProcess.exithandler (node:child_process:397:12) > 2022-01-28T14:26:14.243642783Z at ChildProcess.emit (node:events:390:28) > 2022-01-28T14:26:14.243644787Z at maybeClose (node:internal/child_process:1064:16) > 2022-01-28T14:26:14.243646760Z at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@PavelkaDavid commented on GitHub (Jan 29, 2022):

Hi, I have been solving this too. I don't know why, but some of my certificates cannot be renewed as it outputs "Connection refused" for acme-challenge as shown on the picture.

image

If this happens, than after each restart of NPM there is stuck processes as shown on the next image, that results in "Another instance of Certbot is already running."

image

If you kill these processes, than you can create new certificate for these domains and it will work as it should (renew will not work). Then go to your host and assign the new certificate to it. Than you can delete the old one.

After these changes is done, you can try to restart your NPM and see if there is still that processes. If not, than you are OK and you can ensure yourself by issuing renew.

Hope this helps and I am looking forward for this to be fixed. I don't know what cause this, but it happends on all of my 4 NPM installs for only some domains.

<!-- gh-comment-id:1024891072 --> @PavelkaDavid commented on GitHub (Jan 29, 2022): Hi, I have been solving this too. I don't know why, but some of my certificates cannot be renewed as it outputs "Connection refused" for acme-challenge as shown on the picture. ![image](https://user-images.githubusercontent.com/42189607/151658596-3d9dad54-a397-4223-a65b-c8aaaa5f1d68.png) If this happens, than after each restart of NPM there is stuck processes as shown on the next image, that results in "Another instance of Certbot is already running." ![image](https://user-images.githubusercontent.com/42189607/151658638-bc962cc1-9e7e-4198-a9a8-a7211a291490.png) If you kill these processes, than you can create new certificate for these domains and it will work as it should (renew will not work). Then go to your host and assign the new certificate to it. Than you can delete the old one. After these changes is done, you can try to restart your NPM and see if there is still that processes. If not, than you are OK and you can ensure yourself by issuing renew. Hope this helps and I am looking forward for this to be fixed. I don't know what cause this, but it happends on all of my 4 NPM installs for only some domains.
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@gent99 commented on GitHub (Jan 31, 2022):

where can i find those logs?

in npm/data/logs i find
letsencrypt-requests_access.log
letsencrypt-requests_error.log
letsencrypt-requests.log

but they don't show me any errors like in your posts

<!-- gh-comment-id:1025791462 --> @gent99 commented on GitHub (Jan 31, 2022): where can i find those logs? in npm/data/logs i find letsencrypt-requests_access.log letsencrypt-requests_error.log letsencrypt-requests.log but they don't show me any errors like in your posts
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@PavelkaDavid commented on GitHub (Feb 1, 2022):

where can i find those logs?

in npm/data/logs i find letsencrypt-requests_access.log letsencrypt-requests_error.log letsencrypt-requests.log

but they don't show me any errors like in your posts

I have found this log here: /var/log/letsencrypt/letsencrypt.log

<!-- gh-comment-id:1026678013 --> @PavelkaDavid commented on GitHub (Feb 1, 2022): > where can i find those logs? > > in npm/data/logs i find letsencrypt-requests_access.log letsencrypt-requests_error.log letsencrypt-requests.log > > but they don't show me any errors like in your posts I have found this log here: /var/log/letsencrypt/letsencrypt.log
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@Gh0stRocket commented on GitHub (Feb 6, 2022):

Hi,
I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem:

Just go to your /etc/letsencrypt/live directory, create a script and paste the content below.

touch /etc/letsencrypt/live/fix.sh

Make it exectuable:

chmod +x /etc/letsencrypt/live/fix.sh

And run it:

cd /etc/letsencrypt/live/ && ./fix.sh

At the end of the script you will be asked if you want to delete the old files which are no longer needed.

After running the script restart your nginxproxymanager instance.

#!/usr/bin/env bash

DELETE_ME=()

for i in $(find . -name "npm-*" -type d); do
	pushd "${i}" &>/dev/null
	RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g')
	# find all regular (non symbolic link) files
	for t in $(find . -name "*.pem" -type f); do
		# remove ./ path prefix
		FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g')
		NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g')
		echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked"
		echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak"
		mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak
		DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak")
		echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}"
		ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}"
		if [[ "$?" == 0 ]]; then
			echo "success"
		else
			echo "failure"
		fi
	done
	popd &>/dev/null
done

if [[ -n ${DELETE_ME} ]]; then
	echo -e "\nOld *.pem files:\n"
	echo "${DELETE_ME[*]}"
	echo "Do you want to delete the old *.pem files? (y/n) "
	read delete

	if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then
		for y in "${DELETE_ME[@]}"; do
			rm "${y}"
		done
	fi
else
	echo "Nothing to be done."
fi
<!-- gh-comment-id:1030841719 --> @Gh0stRocket commented on GitHub (Feb 6, 2022): Hi, I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem: Just go to your `/etc/letsencrypt/live` directory, create a script and paste the content below. `touch /etc/letsencrypt/live/fix.sh` Make it exectuable: `chmod +x /etc/letsencrypt/live/fix.sh` And run it: `cd /etc/letsencrypt/live/ && ./fix.sh` At the end of the script you will be asked if you want to delete the old files which are no longer needed. After running the script restart your nginxproxymanager instance. ```shell #!/usr/bin/env bash DELETE_ME=() for i in $(find . -name "npm-*" -type d); do pushd "${i}" &>/dev/null RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g') # find all regular (non symbolic link) files for t in $(find . -name "*.pem" -type f); do # remove ./ path prefix FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g') NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g') echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked" echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak" mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak") echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}" ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}" if [[ "$?" == 0 ]]; then echo "success" else echo "failure" fi done popd &>/dev/null done if [[ -n ${DELETE_ME} ]]; then echo -e "\nOld *.pem files:\n" echo "${DELETE_ME[*]}" echo "Do you want to delete the old *.pem files? (y/n) " read delete if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then for y in "${DELETE_ME[@]}"; do rm "${y}" done fi else echo "Nothing to be done." fi ```
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@cptskippy commented on GitHub (Mar 24, 2022):

For anyone experiencing this issue, I was able to fix my setup using the following steps:

  1. Navigate to Proxy Hosts
  2. Edit a Host entry with a bad SSL Cert
  3. Navigate to the SSL Tab
  4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"
  5. Click Save
  6. Navigate to SSL Certificates
  7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.

I don't know what caused the problem or if it will come back but at least for now it appears to be working.

<!-- gh-comment-id:1077969718 --> @cptskippy commented on GitHub (Mar 24, 2022): For anyone experiencing this issue, I was able to fix my setup using the following steps: 1. Navigate to Proxy Hosts 2. Edit a Host entry with a bad SSL Cert 3. Navigate to the SSL Tab 4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate" 5. Click Save 6. Navigate to SSL Certificates 7. Delete the old Certificate After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months. I don't know what caused the problem or if it will come back but at least for now it appears to be working.
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@Waldorf3 commented on GitHub (Sep 15, 2022):

For anyone experiencing this issue, I was able to fix my setup using the following steps:

  1. Navigate to Proxy Hosts
  2. Edit a Host entry with a bad SSL Cert
  3. Navigate to the SSL Tab
  4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"
  5. Click Save
  6. Navigate to SSL Certificates
  7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.

I don't know what caused the problem or if it will come back but at least for now it appears to be working.

This just create an "Internal error", no new cert.

<!-- gh-comment-id:1248764797 --> @Waldorf3 commented on GitHub (Sep 15, 2022): > For anyone experiencing this issue, I was able to fix my setup using the following steps: > > 1. Navigate to Proxy Hosts > 2. Edit a Host entry with a bad SSL Cert > 3. Navigate to the SSL Tab > 4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate" > 5. Click Save > 6. Navigate to SSL Certificates > 7. Delete the old Certificate > > After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months. > > I don't know what caused the problem or if it will come back but at least for now it appears to be working. This just create an "Internal error", no new cert.
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@TheFreeman commented on GitHub (Oct 25, 2022):

The same on my side.
Any new suggestions?

<!-- gh-comment-id:1290416712 --> @TheFreeman commented on GitHub (Oct 25, 2022): The same on my side. Any new suggestions?
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@abdros commented on GitHub (Apr 10, 2023):

I had the same issue and solved it by adding a DNS CAA record for the HOST.MYDOMAIN.TLD and setting letsencrypt.org as an authorized certificate provider (I use EasyDNS).
What made me think of this was an email that letsencrypt had sent some time ago regarding this soon-to-come requirement from DNS providers.
Nginx Proxy Manager v2.7.1
Hope this helps others.

<!-- gh-comment-id:1502296413 --> @abdros commented on GitHub (Apr 10, 2023): I had the same issue and solved it by adding a DNS CAA record for the HOST.MYDOMAIN.TLD and setting letsencrypt.org as an authorized certificate provider (I use EasyDNS). What made me think of this was an email that letsencrypt had sent some time ago regarding this soon-to-come requirement from DNS providers. Nginx Proxy Manager v2.7.1 Hope this helps others.
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@AlmightyJojo commented on GitHub (Jun 10, 2023):

npm 2.10.1. Out of nowhere expired certs + symlink error on npm startup. Internal error in GUI. Godaddy DNS challenge cert
Gh0stRocket script did indeed fix renewal and all existing proxy hosts updated. Whew.
What's not clear is fix symlink creation is permanent fix or not. Believe it is...This renewal issue with either npm / certbot really could use some attention.

<!-- gh-comment-id:1585742742 --> @AlmightyJojo commented on GitHub (Jun 10, 2023): npm 2.10.1. Out of nowhere expired certs + symlink error on npm startup. Internal error in GUI. Godaddy DNS challenge cert Gh0stRocket script did indeed fix renewal and all existing proxy hosts updated. Whew. What's not clear is fix symlink creation is permanent fix or not. Believe it is...This renewal issue with either npm / certbot really could use some attention.
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Feb 25, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:1962784563 --> @github-actions[bot] commented on GitHub (Feb 25, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@Palmdale95 commented on GitHub (Mar 16, 2024):

For me the issue is still there:
Failed to renew certificate npm-1 with error: Some challenges have failed.
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
Failed to renew certificate npm-4 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-1/fullchain.pem (failure)
/etc/letsencrypt/live/npm-2/fullchain.pem (failure)
/etc/letsencrypt/live/npm-3/fullchain.pem (failure)
/etc/letsencrypt/live/npm-4/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)

at ChildProcess.exithandler (node:child_process:422:12)
at ChildProcess.emit (node:events:517:28)
at maybeClose (node:internal/child_process:1098:16)
at ChildProcess._handle.onexit (node:internal/child_process:303:5)
<!-- gh-comment-id:2001996350 --> @Palmdale95 commented on GitHub (Mar 16, 2024): For me the issue is still there: Failed to renew certificate npm-1 with error: Some challenges have failed. Failed to renew certificate npm-2 with error: Some challenges have failed. Failed to renew certificate npm-3 with error: Some challenges have failed. Failed to renew certificate npm-4 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-3/fullchain.pem (failure) /etc/letsencrypt/live/npm-4/fullchain.pem (failure) 4 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:422:12) at ChildProcess.emit (node:events:517:28) at maybeClose (node:internal/child_process:1098:16) at ChildProcess._handle.onexit (node:internal/child_process:303:5)
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@deMathias commented on GitHub (Jul 3, 2024):

I just get internal error in NPM gui when trying to renew wildcard cert (*.domain.ltd)

<!-- gh-comment-id:2205970391 --> @deMathias commented on GitHub (Jul 3, 2024): I just get internal error in NPM gui when trying to renew wildcard cert (*.domain.ltd)
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@Reetryyy commented on GitHub (Aug 12, 2024):

I encountered the same issue when trying to renew certificates using the NPM GUI. Removing the certificate that failed to renew and requesting new ones resolved the problem for me.

<!-- gh-comment-id:2283592230 --> @Reetryyy commented on GitHub (Aug 12, 2024): I encountered the same issue when trying to renew certificates using the NPM GUI. Removing the certificate that failed to renew and requesting new ones resolved the problem for me.
kerem commented 2026-02-26 07:30:34 +03:00
Author
Owner
Copy link

@timguy99 commented on GitHub (Oct 25, 2024):

For anyone experiencing this issue, I was able to fix my setup using the following steps:

  1. Navigate to Proxy Hosts
  2. Edit a Host entry with a bad SSL Cert
  3. Navigate to the SSL Tab
  4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"
  5. Click Save
  6. Navigate to SSL Certificates
  7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.
I don't know what caused the problem or if it will come back but at least for now it appears to be working.

This just create an "Internal error", no new cert.

Same issue for me but following these steps seemed to work. Be nice to see this fixed though so we don't have to do things manually.

<!-- gh-comment-id:2436694491 --> @timguy99 commented on GitHub (Oct 25, 2024): > > For anyone experiencing this issue, I was able to fix my setup using the following steps: > > > > 1. Navigate to Proxy Hosts > > 2. Edit a Host entry with a bad SSL Cert > > 3. Navigate to the SSL Tab > > 4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate" > > 5. Click Save > > 6. Navigate to SSL Certificates > > 7. Delete the old Certificate > > > > After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months. > > I don't know what caused the problem or if it will come back but at least for now it appears to be working. > > This just create an "Internal error", no new cert. Same issue for me but following these steps seemed to work. Be nice to see this fixed though so we don't have to do things manually.
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@justanotherdude48 commented on GitHub (Nov 19, 2024):

For anyone experiencing this issue, I was able to fix my setup using the following steps:

1. Navigate to Proxy Hosts

2. Edit a Host entry with a bad SSL Cert

3. Navigate to the SSL Tab

4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"

5. Click Save

6. Navigate to SSL Certificates

7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.

I don't know what caused the problem or if it will come back but at least for now it appears to be working.

I'm seeing this issue still. I need to pull the logs... which I will do shortly. The suggested fix still produced an 'internal error'. In fact, trying to renew the cert and following these instructions above has made it where I'm not longer able to connect to the site due to 'SSL_ERROR_UNRECOGNIZED_NAME_ALERT'

I had to go back and manually assign the old cert to get it up again.

I deleted the working cert and attempted to manually create a new one. Received the following error in the gui.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --authenticator webroot --email "xxxxxxxxxxx" --preferred-challenges "dns,http" --domains "xxxxxxxxx"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
<!-- gh-comment-id:2485959837 --> @justanotherdude48 commented on GitHub (Nov 19, 2024): > For anyone experiencing this issue, I was able to fix my setup using the following steps: > > 1. Navigate to Proxy Hosts > > 2. Edit a Host entry with a bad SSL Cert > > 3. Navigate to the SSL Tab > > 4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate" > > 5. Click Save > > 6. Navigate to SSL Certificates > > 7. Delete the old Certificate > > > After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months. > > I don't know what caused the problem or if it will come back but at least for now it appears to be working. I'm seeing this issue still. I need to pull the logs... which I will do shortly. The suggested fix still produced an 'internal error'. In fact, trying to renew the cert and following these instructions above has made it where I'm not longer able to connect to the site due to 'SSL_ERROR_UNRECOGNIZED_NAME_ALERT' I had to go back and manually assign the old cert to get it up again. I deleted the working cert and attempted to manually create a new one. Received the following error in the gui. Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --authenticator webroot --email "xxxxxxxxxxx" --preferred-challenges "dns,http" --domains "xxxxxxxxx" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@Palmdale95 commented on GitHub (Nov 19, 2024):

Every 2-3 month the same procedure for all hosts. It just does not work automatically. I'am really evaluating to give zoraxy a try because this is really annoying.

<!-- gh-comment-id:2486241196 --> @Palmdale95 commented on GitHub (Nov 19, 2024): Every 2-3 month the same procedure for all hosts. It just does not work automatically. I'am really evaluating to give zoraxy a try because this is really annoying.
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@justanotherdude48 commented on GitHub (Nov 19, 2024):

For anyone experiencing this issue, I was able to fix my setup using the following steps:

1. Navigate to Proxy Hosts

2. Edit a Host entry with a bad SSL Cert

3. Navigate to the SSL Tab

4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"

5. Click Save

6. Navigate to SSL Certificates

7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.
I don't know what caused the problem or if it will come back but at least for now it appears to be working.

I'm seeing this issue still. I need to pull the logs... which I will do shortly. The suggested fix still produced an 'internal error'. In fact, trying to renew the cert and following these instructions above has made it where I'm not longer able to connect to the site due to 'SSL_ERROR_UNRECOGNIZED_NAME_ALERT'

I had to go back and manually assign the old cert to get it up again.

I deleted the working cert and attempted to manually create a new one. Received the following error in the gui.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --authenticator webroot --email "xxxxxxxxxxx" --preferred-challenges "dns,http" --domains "xxxxxxxxx" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Interestingly enough this started working, but I can't tell you why.

I was running certbot -v renew commands in CLI from the docker container and it was throwing errors like....:

"Certbot failed to authenticate some domains "

"Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet."

So i verified the DNS records again, my port forwarding, etc. Everything seemed good. I basically kept fiddling with nginx until suddenly the renew button from the site settings itself just worked all of a sudden. A previous reboot hadn't helped either. Its a mystery

<!-- gh-comment-id:2486257786 --> @justanotherdude48 commented on GitHub (Nov 19, 2024): > > For anyone experiencing this issue, I was able to fix my setup using the following steps: > > ``` > > 1. Navigate to Proxy Hosts > > > > 2. Edit a Host entry with a bad SSL Cert > > > > 3. Navigate to the SSL Tab > > > > 4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate" > > > > 5. Click Save > > > > 6. Navigate to SSL Certificates > > > > 7. Delete the old Certificate > > ``` > > > > > > > > > > > > > > > > > > > > > > > > After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months. > > I don't know what caused the problem or if it will come back but at least for now it appears to be working. > > I'm seeing this issue still. I need to pull the logs... which I will do shortly. The suggested fix still produced an 'internal error'. In fact, trying to renew the cert and following these instructions above has made it where I'm not longer able to connect to the site due to 'SSL_ERROR_UNRECOGNIZED_NAME_ALERT' > > I had to go back and manually assign the old cert to get it up again. > > I deleted the working cert and attempted to manually create a new one. Received the following error in the gui. > > Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --authenticator webroot --email "xxxxxxxxxxx" --preferred-challenges "dns,http" --domains "xxxxxxxxx" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. > > ``` > at ChildProcess.exithandler (node:child_process:402:12) > at ChildProcess.emit (node:events:513:28) > at maybeClose (node:internal/child_process:1100:16) > at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) > ``` Interestingly enough this started working, but I can't tell you why. I was running certbot -v renew commands in CLI from the docker container and it was throwing errors like....: "Certbot failed to authenticate some domains " "Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet." So i verified the DNS records again, my port forwarding, etc. Everything seemed good. I basically kept fiddling with nginx until suddenly the renew button from the site settings itself just worked all of a sudden. A previous reboot hadn't helped either. Its a mystery
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@joanjgm commented on GitHub (Dec 1, 2024):

Hi, I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem:

Just go to your /etc/letsencrypt/live directory, create a script and paste the content below.

touch /etc/letsencrypt/live/fix.sh

Make it exectuable:

chmod +x /etc/letsencrypt/live/fix.sh

And run it:

cd /etc/letsencrypt/live/ && ./fix.sh

At the end of the script you will be asked if you want to delete the old files which are no longer needed.

After running the script restart your nginxproxymanager instance.

#!/usr/bin/env bash

DELETE_ME=()

for i in $(find . -name "npm-*" -type d); do
	pushd "${i}" &>/dev/null
	RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g')
	# find all regular (non symbolic link) files
	for t in $(find . -name "*.pem" -type f); do
		# remove ./ path prefix
		FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g')
		NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g')
		echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked"
		echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak"
		mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak
		DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak")
		echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}"
		ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}"
		if [[ "$?" == 0 ]]; then
			echo "success"
		else
			echo "failure"
		fi
	done
	popd &>/dev/null
done

if [[ -n ${DELETE_ME} ]]; then
	echo -e "\nOld *.pem files:\n"
	echo "${DELETE_ME[*]}"
	echo "Do you want to delete the old *.pem files? (y/n) "
	read delete

	if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then
		for y in "${DELETE_ME[@]}"; do
			rm "${y}"
		done
	fi
else
	echo "Nothing to be done."
fi

This Fixed it! Thanks!

<!-- gh-comment-id:2510312594 --> @joanjgm commented on GitHub (Dec 1, 2024): > Hi, I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem: > > Just go to your `/etc/letsencrypt/live` directory, create a script and paste the content below. > > `touch /etc/letsencrypt/live/fix.sh` > > Make it exectuable: > > `chmod +x /etc/letsencrypt/live/fix.sh` > > And run it: > > `cd /etc/letsencrypt/live/ && ./fix.sh` > > At the end of the script you will be asked if you want to delete the old files which are no longer needed. > > After running the script restart your nginxproxymanager instance. > > ```shell > #!/usr/bin/env bash > > DELETE_ME=() > > for i in $(find . -name "npm-*" -type d); do > pushd "${i}" &>/dev/null > RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g') > # find all regular (non symbolic link) files > for t in $(find . -name "*.pem" -type f); do > # remove ./ path prefix > FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g') > NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g') > echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked" > echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak" > mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak > DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak") > echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}" > ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}" > if [[ "$?" == 0 ]]; then > echo "success" > else > echo "failure" > fi > done > popd &>/dev/null > done > > if [[ -n ${DELETE_ME} ]]; then > echo -e "\nOld *.pem files:\n" > echo "${DELETE_ME[*]}" > echo "Do you want to delete the old *.pem files? (y/n) " > read delete > > if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then > for y in "${DELETE_ME[@]}"; do > rm "${y}" > done > fi > else > echo "Nothing to be done." > fi > ``` This Fixed it! Thanks!
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@FloStar3000 commented on GitHub (Dec 23, 2024):

Hi, I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem:

Just go to your /etc/letsencrypt/live directory, create a script and paste the content below.

touch /etc/letsencrypt/live/fix.sh

Make it exectuable:

chmod +x /etc/letsencrypt/live/fix.sh

And run it:

cd /etc/letsencrypt/live/ && ./fix.sh

At the end of the script you will be asked if you want to delete the old files which are no longer needed.

After running the script restart your nginxproxymanager instance.

#!/usr/bin/env bash

DELETE_ME=()

for i in $(find . -name "npm-*" -type d); do
	pushd "${i}" &>/dev/null
	RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g')
	# find all regular (non symbolic link) files
	for t in $(find . -name "*.pem" -type f); do
		# remove ./ path prefix
		FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g')
		NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g')
		echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked"
		echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak"
		mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak
		DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak")
		echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}"
		ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}"
		if [[ "$?" == 0 ]]; then
			echo "success"
		else
			echo "failure"
		fi
	done
	popd &>/dev/null
done

if [[ -n ${DELETE_ME} ]]; then
	echo -e "\nOld *.pem files:\n"
	echo "${DELETE_ME[*]}"
	echo "Do you want to delete the old *.pem files? (y/n) "
	read delete

	if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then
		for y in "${DELETE_ME[@]}"; do
			rm "${y}"
		done
	fi
else
	echo "Nothing to be done."
fi

Be careful when running this script! It made my NGINX proxy manager container crash upon restart!
Please read the script and understand what it does before running it.

It did not work for me in the first place and because most of my archive/npm-xx folders did not have chain1.pem, privkey1.pem etc. but for some reason, it started with chain2.pem etc. in most of the folders. You need to update the script so it does not point to the chain1.pem etc. but to one that exists or create the links manually, as i did for one folder. If there are symlinks in the live folder that point to a non existing file, proxy manager refuses to start.
After dealing with that, it fixed my issue, thanks!

<!-- gh-comment-id:2559765712 --> @FloStar3000 commented on GitHub (Dec 23, 2024): > Hi, I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem: > > Just go to your `/etc/letsencrypt/live` directory, create a script and paste the content below. > > `touch /etc/letsencrypt/live/fix.sh` > > Make it exectuable: > > `chmod +x /etc/letsencrypt/live/fix.sh` > > And run it: > > `cd /etc/letsencrypt/live/ && ./fix.sh` > > At the end of the script you will be asked if you want to delete the old files which are no longer needed. > > After running the script restart your nginxproxymanager instance. > > ```shell > #!/usr/bin/env bash > > DELETE_ME=() > > for i in $(find . -name "npm-*" -type d); do > pushd "${i}" &>/dev/null > RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g') > # find all regular (non symbolic link) files > for t in $(find . -name "*.pem" -type f); do > # remove ./ path prefix > FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g') > NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g') > echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked" > echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak" > mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak > DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak") > echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}" > ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}" > if [[ "$?" == 0 ]]; then > echo "success" > else > echo "failure" > fi > done > popd &>/dev/null > done > > if [[ -n ${DELETE_ME} ]]; then > echo -e "\nOld *.pem files:\n" > echo "${DELETE_ME[*]}" > echo "Do you want to delete the old *.pem files? (y/n) " > read delete > > if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then > for y in "${DELETE_ME[@]}"; do > rm "${y}" > done > fi > else > echo "Nothing to be done." > fi > ``` Be careful when running this script! It made my NGINX proxy manager container crash upon restart! Please read the script and understand what it does before running it. It did not work for me in the first place and because most of my `archive/npm-xx` folders did not have `chain1.pem`, `privkey1.pem` etc. but for some reason, it started with `chain2.pem` etc. in most of the folders. You need to update the script so it does not point to the `chain1.pem` etc. but to one that exists or create the links manually, as i did for one folder. If there are symlinks in the live folder that point to a non existing file, proxy manager refuses to start. After dealing with that, it fixed my issue, thanks!
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@KiddRedd commented on GitHub (Dec 24, 2024):

Experienced this last year and just yesterday. I was able to renew OTHER certificates, and request for new certificates (without challenge). But three particular ones kept giving "Internal Error". I figure to look inside the docker container and didn't see anything out of the ordinary...

The problem is resolved by deleting the old certificate and requesting a new one. No changes were made to the docker instance, the DNS of the domain or changes to my network configuration. Just happens out of nowhere, lol.

<!-- gh-comment-id:2561347927 --> @KiddRedd commented on GitHub (Dec 24, 2024): Experienced this last year and just yesterday. I was able to renew OTHER certificates, and request for new certificates (without challenge). But three particular ones kept giving "Internal Error". I figure to look inside the docker container and didn't see anything out of the ordinary... The problem is resolved by deleting the old certificate and requesting a new one. No changes were made to the docker instance, the DNS of the domain or changes to my network configuration. Just happens out of nowhere, lol.
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@bisand commented on GitHub (Jan 20, 2025):

I also struggled with this, but fixed it with a bash script slightly different from the one created by @Gh0stRocket (Thanks!). The script reads all the *.pem files from the folder structure inside the /etc/letsencrypt/archive folder and creates the same folder structure inside the /etc/letsencrypt/live folder, containing a symbolic link to the latest version of the corresponding archive *.pem file. (See example at the bottom)

The script will take a backup of all npm-* folders inside /etc/letsencrypt/live folder and then delete the same folders. The backup file is called live.tar.gz and is placed inside the parent directory.

WARNING!
You should always be careful of running scripts you find online. I have tested it on my setup, but cannot guarantee that it will work for you. I totally agree with @FloStar3000. Please read the script before you continue!

Just go to your /etc/letsencrypt/live directory, create a script and paste the content below.

touch /etc/letsencrypt/live/fix.sh

Make it exectuable:

chmod +x /etc/letsencrypt/live/fix.sh

And run it:

cd /etc/letsencrypt/live/ && ./fix.sh

./fix.sh script

#!/usr/bin/env bash

ARCHIVE_DIR="../archive"
LIVE_DIR="../live"

# Ensure the script is run from the LIVE_DIR and the directory ends with 'live'
if [[ "$(pwd)" != "$(realpath "$LIVE_DIR")" || ! "$(basename "$(pwd)")" == "live" ]]; then
    echo "Please run the script from the \"live\" directory."
    exit 1
fi

tar -czf ../live.tar.gz ./npm-*
rm -rf ./npm-*

# Find all directories in the archive
for dir in $(find "$ARCHIVE_DIR" -name "npm-*" -type d); do
    # Create the corresponding directory in the live directory if it doesn't exist
    relative_dir="${dir#$ARCHIVE_DIR/}"
    echo "Relative: $relative_dir"
    mkdir -p "$LIVE_DIR/$relative_dir"
    echo "Processing: $LIVE_DIR/$relative_dir"

    # Find the latest version of each .pem file in the current directory
    for base_name in $(find "$dir" -name "*.pem" -type f | sed -E 's/[0-9]+\.pem$//' | sort -u); do
        latest_file=$(find "$dir" -name "$(basename "$base_name")[0-9]*.pem" -type f | sort -V | tail -n 1)
        if [[ -n "$latest_file" ]]; then
            # Create a symbolic link in the live directory using absolute paths
            ln -sf "$(realpath "$latest_file")" "$LIVE_DIR/$relative_dir/$(basename "$base_name").pem"
            echo "Linked $(realpath "$latest_file") to $LIVE_DIR/$relative_dir/$(basename "$base_name").pem"
        else
            echo "No latest file found for base name $base_name in $dir"
        fi
    done
done

Example content of one of the npm-* folders after running the script:

ls -hal --color /etc/letsencrypt/live/npm-1/

total 4.0K
drwxr-xr-x  2 root root   79 Jan 20 12:55 .
drwx------ 39 root root 4.0K Jan 20 12:55 ..
lrwxrwxrwx  1 root root   41 Jan 20 12:55 cert.pem -> /etc/letsencrypt/archive/npm-1/cert11.pem
lrwxrwxrwx  1 root root   42 Jan 20 12:55 chain.pem -> /etc/letsencrypt/archive/npm-1/chain11.pem
lrwxrwxrwx  1 root root   46 Jan 20 12:55 fullchain.pem -> /etc/letsencrypt/archive/npm-1/fullchain11.pem
lrwxrwxrwx  1 root root   44 Jan 20 12:55 privkey.pem -> /etc/letsencrypt/archive/npm-1/privkey11.pem
<!-- gh-comment-id:2602426268 --> @bisand commented on GitHub (Jan 20, 2025): I also struggled with this, but fixed it with a bash script slightly different from the one created by @Gh0stRocket (Thanks!). The script reads all the ***.pem** files from the folder structure inside the **/etc/letsencrypt/archive** folder and creates the same folder structure inside the **/etc/letsencrypt/live** folder, containing a symbolic link to the latest version of the corresponding archive ***.pem** file. (See example at the bottom) The script will take a backup of all **npm-*** folders inside **/etc/letsencrypt/live** folder and then delete the same folders. The backup file is called **live.tar.gz** and is placed inside the parent directory. > WARNING! You should always be careful of running scripts you find online. I have tested it on my setup, but cannot guarantee that it will work for you. I totally agree with @FloStar3000. Please read the script before you continue! Just go to your /etc/letsencrypt/live directory, create a script and paste the content below. ``` touch /etc/letsencrypt/live/fix.sh ``` Make it exectuable: ``` chmod +x /etc/letsencrypt/live/fix.sh ``` And run it: ``` cd /etc/letsencrypt/live/ && ./fix.sh ``` #### ./fix.sh script ```bash #!/usr/bin/env bash ARCHIVE_DIR="../archive" LIVE_DIR="../live" # Ensure the script is run from the LIVE_DIR and the directory ends with 'live' if [[ "$(pwd)" != "$(realpath "$LIVE_DIR")" || ! "$(basename "$(pwd)")" == "live" ]]; then echo "Please run the script from the \"live\" directory." exit 1 fi tar -czf ../live.tar.gz ./npm-* rm -rf ./npm-* # Find all directories in the archive for dir in $(find "$ARCHIVE_DIR" -name "npm-*" -type d); do # Create the corresponding directory in the live directory if it doesn't exist relative_dir="${dir#$ARCHIVE_DIR/}" echo "Relative: $relative_dir" mkdir -p "$LIVE_DIR/$relative_dir" echo "Processing: $LIVE_DIR/$relative_dir" # Find the latest version of each .pem file in the current directory for base_name in $(find "$dir" -name "*.pem" -type f | sed -E 's/[0-9]+\.pem$//' | sort -u); do latest_file=$(find "$dir" -name "$(basename "$base_name")[0-9]*.pem" -type f | sort -V | tail -n 1) if [[ -n "$latest_file" ]]; then # Create a symbolic link in the live directory using absolute paths ln -sf "$(realpath "$latest_file")" "$LIVE_DIR/$relative_dir/$(basename "$base_name").pem" echo "Linked $(realpath "$latest_file") to $LIVE_DIR/$relative_dir/$(basename "$base_name").pem" else echo "No latest file found for base name $base_name in $dir" fi done done ``` Example content of one of the npm-* folders after running the script: ``` ls -hal --color /etc/letsencrypt/live/npm-1/ ``` ``` total 4.0K drwxr-xr-x 2 root root 79 Jan 20 12:55 . drwx------ 39 root root 4.0K Jan 20 12:55 .. lrwxrwxrwx 1 root root 41 Jan 20 12:55 cert.pem -> /etc/letsencrypt/archive/npm-1/cert11.pem lrwxrwxrwx 1 root root 42 Jan 20 12:55 chain.pem -> /etc/letsencrypt/archive/npm-1/chain11.pem lrwxrwxrwx 1 root root 46 Jan 20 12:55 fullchain.pem -> /etc/letsencrypt/archive/npm-1/fullchain11.pem lrwxrwxrwx 1 root root 44 Jan 20 12:55 privkey.pem -> /etc/letsencrypt/archive/npm-1/privkey11.pem ```
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@leonbohmann commented on GitHub (Feb 18, 2025):

For me the root of the issue is the "Force SSL" switch. Lets Encrypt seems to rely on HTTP requests to find the ACME. So when choosing to force SSL the automatic renew does not work because HTTP is not allowed.

Still, every couple of months I have to renew my certificates by disabling the Force SSL option, renewing the certificate manually in the "SSL Certificates" Tab an then enabling the option again.

Thinking about switching to Traefik. I did the renewing a couple of times now and it gets annoying.

<!-- gh-comment-id:2666376241 --> @leonbohmann commented on GitHub (Feb 18, 2025): For me the root of the issue is the "Force SSL" switch. Lets Encrypt seems to rely on HTTP requests to find the ACME. So when choosing to force SSL the automatic renew does not work because HTTP is not allowed. Still, every couple of months I have to renew my certificates by disabling the Force SSL option, renewing the certificate manually in the "SSL Certificates" Tab an then enabling the option again. Thinking about switching to Traefik. I did the renewing a couple of times now and it gets annoying.
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@gent99 commented on GitHub (Feb 19, 2025):

@leonbohmann HTTP has to be allowed for the npm Server's IP from the outside and not for the proxy hosts. NPM is contacting ACME and not the proxy hosts. So Force SSL option is irrelevant in this case.

<!-- gh-comment-id:2667835615 --> @gent99 commented on GitHub (Feb 19, 2025): @leonbohmann HTTP has to be allowed for the npm Server's IP from the outside and not for the proxy hosts. NPM is contacting ACME and not the proxy hosts. So Force SSL option is irrelevant in this case.
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@leonbohmann commented on GitHub (Feb 19, 2025):

@leonbohmann HTTP has to be allowed for the npm Server's IP from the outside and not for the proxy hosts. NPM is contacting ACME and not the proxy hosts. So Force SSL option is irrelevant in this case.

Interesting. As soon as I disable the Force SSL the renew works for me. What might be the issue then?

<!-- gh-comment-id:2667896843 --> @leonbohmann commented on GitHub (Feb 19, 2025): > [@leonbohmann](https://github.com/leonbohmann) HTTP has to be allowed for the npm Server's IP from the outside and not for the proxy hosts. NPM is contacting ACME and not the proxy hosts. So Force SSL option is irrelevant in this case. Interesting. As soon as I disable the Force SSL the renew works for me. What might be the issue then?
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@Palmdale95 commented on GitHub (Feb 19, 2025):

Ok, so if I understand correctly then this should normaly work, if set for the npm?

Image

<!-- gh-comment-id:2668378274 --> @Palmdale95 commented on GitHub (Feb 19, 2025): Ok, so if I understand correctly then this should normaly work, if set for the npm? ![Image](https://github.com/user-attachments/assets/39f5b5db-58b9-4545-807b-a0ad0b096c77)
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@gent99 commented on GitHub (Feb 19, 2025):

Ok, so if I understand correctly then this should normaly work, if set for the npm?

Image

If "npm" means one of your proxy hosts and not npm itself, yes.

<!-- gh-comment-id:2668449935 --> @gent99 commented on GitHub (Feb 19, 2025): > Ok, so if I understand correctly then this should normaly work, if set for the npm? > > ![Image](https://github.com/user-attachments/assets/39f5b5db-58b9-4545-807b-a0ad0b096c77) If "npm" means one of your proxy hosts and not npm itself, yes.
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@Palmdale95 commented on GitHub (Feb 19, 2025):

ok. I have this set for every proxy host.

<!-- gh-comment-id:2668469041 --> @Palmdale95 commented on GitHub (Feb 19, 2025): ok. I have this set for every proxy host.
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@leonbohmann commented on GitHub (Feb 25, 2025):

Nice, if I enable HTTP/2 Support it works for me
I dont need to.disable the force ssl.

Thank you!

<!-- gh-comment-id:2683468634 --> @leonbohmann commented on GitHub (Feb 25, 2025): Nice, if I enable HTTP/2 Support it works for me I dont need to.disable the force ssl. Thank you!
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@BadWolf97 commented on GitHub (Apr 9, 2025):

I can confirm that trying to renew the certificate with "Force SSL" fails (according to the access.log, the request is Sent to the underlaying service)

[09/Apr/2025:07:24:58 +0000] - - 301 - GET http {REDACTED} "/.well-known/acme-challenge/VZ..y-exBkFbGPMvQVMwRx8W.......-1s429X...M" [Client {REDACTED}] [Length 166] [Gzip -] [Sent-to paperless] "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

If I disable the Option, the renewal process works fine.

Version v2.12.3

<!-- gh-comment-id:2788645327 --> @BadWolf97 commented on GitHub (Apr 9, 2025): I can confirm that trying to renew the certificate with "Force SSL" fails (according to the access.log, the request is Sent to the underlaying service) > [09/Apr/2025:07:24:58 +0000] - - 301 - GET http {REDACTED} "/.well-known/acme-challenge/VZ..y-exBkFbGPMvQVMwRx8W.......-1s429X...M" [Client {REDACTED}] [Length 166] [Gzip -] **[Sent-to paperless]** "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" If I disable the Option, the renewal process works fine. Version v2.12.3
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@ftoledo commented on GitHub (May 12, 2025):

any news to fix this bus at docker level image?

<!-- gh-comment-id:2873190444 --> @ftoledo commented on GitHub (May 12, 2025): any news to fix this bus at docker level image?
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@ftoledo commented on GitHub (May 12, 2025):

I can confirm that trying to renew the certificate with "Force SSL" fails (according to the access.log, the request is Sent to the underlaying service)

[09/Apr/2025:07:24:58 +0000] - - 301 - GET http {REDACTED} "/.well-known/acme-challenge/VZ..y-exBkFbGPMvQVMwRx8W.......-1s429X...M" [Client {REDACTED}] [Length 166] [Gzip -] [Sent-to paperless] "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

If I disable the Option, the renewal process works fine.

Version v2.12.3

I confirm too that disabling Force SSL from Gui let it work.

<!-- gh-comment-id:2873203981 --> @ftoledo commented on GitHub (May 12, 2025): > I can confirm that trying to renew the certificate with "Force SSL" fails (according to the access.log, the request is Sent to the underlaying service) > > > [09/Apr/2025:07:24:58 +0000] - - 301 - GET http {REDACTED} "/.well-known/acme-challenge/VZ..y-exBkFbGPMvQVMwRx8W.......-1s429X...M" [Client {REDACTED}] [Length 166] [Gzip -] **[Sent-to paperless]** "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" > > If I disable the Option, the renewal process works fine. > > Version v2.12.3 I confirm too that disabling Force SSL from Gui let it work.
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@W1BTR commented on GitHub (Sep 4, 2025):

Would love to have automatic renewal working again, as that's one of the big goals of npm - anyone figured out a way to accomplish this?

<!-- gh-comment-id:3253960729 --> @W1BTR commented on GitHub (Sep 4, 2025): Would love to have _automatic_ renewal working again, as that's one of the big goals of npm - anyone figured out a way to accomplish this?
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@iChifau commented on GitHub (Jan 24, 2026):

Whats the update on this?

<!-- gh-comment-id:3794367450 --> @iChifau commented on GitHub (Jan 24, 2026): Whats the update on this?
kerem commented 2026-02-26 07:30:35 +03:00
Author
Owner
Copy link

@4fd81048-Brian commented on GitHub (Feb 1, 2026):

NPM 2.13.6 and my certificates started expiring. Turning off Force SSL for each proxy host allowed them to renew.

<!-- gh-comment-id:3831583359 --> @4fd81048-Brian commented on GitHub (Feb 1, 2026): NPM 2.13.6 and my certificates started expiring. Turning off Force SSL for each proxy host allowed them to renew.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#1340
No description provided.