[GH-ISSUE #2011] SSL certificate error #1453

New issue

Open

opened 2026-02-26 07:31:03 +03:00 by kerem · 143 comments

kerem commented 2026-02-26 07:31:03 +03:00

Owner

Copy link

Originally created by @ahmedelemamn on GitHub (Apr 19, 2022).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2011

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
i have a fresh NPM image running and tried to generate SSL certificate for my domain
i tried both http/dns challenges
for http challenge i get this error:

Communication with the API failed, is NPM running correctly?

or this one:

example.example.com: There is no server available at this domain. Please make sure your domain exists and points to the IP where your NPM instance is running and if necessary port 80 is forwarded in your router.

for the second error i made sure my DNS record is configured as DNS only and not proxied on cloudflare and i have both port 80 and 443 forwarded on my WAN router

if i opted for DNS challenge i get this error

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-3" --agree-tos --email "xxxx@gmail.com" --domains "example.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-3" --dns-cloudflare-propagation-seconds 240
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Encountered CloudFlareAPIError adding TXT record: 10000 Authentication error
Error communicating with the Cloudflare API: Authentication error
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) 

although the API key is working fine

curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
     -H "Authorization: Bearer xxxx" \
     -H "Content-Type:application/json"
{"result":{"id":"96ec8dc212843213fb16d363732e6b34","status":"active"},"success":true,"errors":[],"messages":[{"code":10000,"message":"This API Token is valid and active","type":null}]}

Nginx Proxy Manager Version
v2.9.14
i tried the latest as well but i had the same issue and i saw a post here recommending downgrading helped but unfortunately it didn't help me ref. https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1862

To Reproduce
Steps to reproduce the behavior:

• Go to the tab "SSL Certificates"
• Click on "Add SSL Certificate"
• Enter the domains "*.example.com, example.com"
• Select "Use DNS Challenge", Cloudflare, and set API Key
• Set Propagation Seconds (450 Seconds) (Optional)

Expected behavior
wildcard SSL certificate to be created

Operating System
ubuntu server 21.10

Originally created by @ahmedelemamn on GitHub (Apr 19, 2022). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2011 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** i have a fresh NPM image running and tried to generate SSL certificate for my domain i tried both http/dns challenges for http challenge i get this error: ``` Communication with the API failed, is NPM running correctly? ``` or this one: ``` example.example.com: There is no server available at this domain. Please make sure your domain exists and points to the IP where your NPM instance is running and if necessary port 80 is forwarded in your router. ``` for the second error i made sure my DNS record is configured as DNS only and not proxied on cloudflare and i have both port 80 and 443 forwarded on my WAN router if i opted for DNS challenge i get this error ``` Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-3" --agree-tos --email "xxxx@gmail.com" --domains "example.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-3" --dns-cloudflare-propagation-seconds 240 Saving debug log to /var/log/letsencrypt/letsencrypt.log Encountered CloudFlareAPIError adding TXT record: 10000 Authentication error Error communicating with the Cloudflare API: Authentication error Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) ``` although the API key is working fine ``` curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \ -H "Authorization: Bearer xxxx" \ -H "Content-Type:application/json" {"result":{"id":"96ec8dc212843213fb16d363732e6b34","status":"active"},"success":true,"errors":[],"messages":[{"code":10000,"message":"This API Token is valid and active","type":null}]} ``` **Nginx Proxy Manager Version** v2.9.14 i tried the latest as well but i had the same issue and i saw a post here recommending downgrading helped but unfortunately it didn't help me ref. https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1862 **To Reproduce** Steps to reproduce the behavior: - Go to the tab "SSL Certificates" - Click on "Add SSL Certificate" - Enter the domains "*.example.com, example.com" - Select "Use DNS Challenge", Cloudflare, and set API Key - Set Propagation Seconds (450 Seconds) (Optional) **Expected behavior** wildcard SSL certificate to be created **Operating System** ubuntu server 21.10

kerem added the

bug

label 2026-02-26 07:31:03 +03:00

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@Lzyct commented on GitHub (Aug 16, 2022):

Any update about this issue?

<!-- gh-comment-id:1216119393 --> @Lzyct commented on GitHub (Aug 16, 2022): Any update about this issue?

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@evlo commented on GitHub (Aug 17, 2022):

can you do *.example.com or just example.com?

Anyways i have same error with just example.com after clicking on test, but not when domain is unavailable, maybe this happens if domain points to different location. I'm using cloud flare dns without proxy do i need to use dns challenge?

With token I get
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.9.12)
(yes i'm sure, i'm used same one in traefik, but i wanted to switch to something with web ui management)

Without dns challenge i get

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

UPDATE: weirdly after 3 attempts (no change in token) it did succeeded even with wildcard, i dunno what it does say about trying same thing expecting different result

<!-- gh-comment-id:1217718756 --> @evlo commented on GitHub (Aug 17, 2022): can you do *.example.com or just example.com? Anyways i have same error with just example.com after clicking on test, but not when domain is unavailable, maybe this happens if domain points to different location. I'm using cloud flare dns without proxy do i need to use dns challenge? With token I get `Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.9.12)` (yes i'm sure, i'm used same one in traefik, but i wanted to switch to something with web ui management) Without dns challenge i get ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ``` UPDATE: weirdly after 3 attempts (no change in token) it did succeeded even with wildcard, i dunno what it does say about trying same thing expecting different result

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@vm75 commented on GitHub (Nov 28, 2022):

I am facing the same issue. Have enabled port forwarding for both 80 & 443. keep getting the same errors outlined in the original post

<!-- gh-comment-id:1329820949 --> @vm75 commented on GitHub (Nov 28, 2022): I am facing the same issue. Have enabled port forwarding for both 80 & 443. keep getting the same errors outlined in the original post

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@Evilernie2001 commented on GitHub (Nov 29, 2022):

Same Problem here. Can`t renew the or create SSL via Letsencrypt

<!-- gh-comment-id:1330314435 --> @Evilernie2001 commented on GitHub (Nov 29, 2022): Same Problem here. Can`t renew the or create SSL via Letsencrypt

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@BL3CKM00N commented on GitHub (Nov 29, 2022):

guessing im not the only one here today xD

<!-- gh-comment-id:1330826788 --> @BL3CKM00N commented on GitHub (Nov 29, 2022): guessing im not the only one here today xD

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@Yannic-reust commented on GitHub (Nov 29, 2022):

same here

<!-- gh-comment-id:1330838627 --> @Yannic-reust commented on GitHub (Nov 29, 2022): same here

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@g4xx commented on GitHub (Nov 29, 2022):

Same here

<!-- gh-comment-id:1331326358 --> @g4xx commented on GitHub (Nov 29, 2022): Same here

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@CameronMacG commented on GitHub (Nov 29, 2022):

+1

<!-- gh-comment-id:1331424735 --> @CameronMacG commented on GitHub (Nov 29, 2022): +1

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@msawyer91 commented on GitHub (Nov 30, 2022):

I'm seeing the same "Communication with the API failed, is NPM running correctly?" on NPM 2.9.19 on a Raspberry Pi using Docker. The error occurs when I test connectivity, but ultimately succeeded in requesting the certificate from Let's Encrypt.

<!-- gh-comment-id:1331490729 --> @msawyer91 commented on GitHub (Nov 30, 2022): I'm seeing the same "Communication with the API failed, is NPM running correctly?" on NPM 2.9.19 on a Raspberry Pi using Docker. The error occurs when I test connectivity, but ultimately succeeded in requesting the certificate from Let's Encrypt.

kerem commented 2026-02-26 07:31:04 +03:00

Author

Owner

Copy link

@HostLabs-LLC commented on GitHub (Nov 30, 2022):

I'm also getting Communication with the API failed, is NPM running correctly?" after pulling :latest this morning. I'm glad its not just me, hopefully we get this fixed. Thanks!!!

<!-- gh-comment-id:1332720105 --> @HostLabs-LLC commented on GitHub (Nov 30, 2022): I'm also getting Communication with the API failed, is NPM running correctly?" after pulling :latest this morning. I'm glad its not just me, hopefully we get this fixed. Thanks!!!

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@BL3CKM00N commented on GitHub (Nov 30, 2022):

Well... u can request a certificate but only the check does currently not work. Requesting and renewing does work just fine ;)

<!-- gh-comment-id:1332741931 --> @BL3CKM00N commented on GitHub (Nov 30, 2022): Well... u can request a certificate but only the check does currently not work. Requesting and renewing does work just fine ;)

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Barzoo7 commented on GitHub (Dec 1, 2022):

+1 hope solve it

<!-- gh-comment-id:1333496638 --> @Barzoo7 commented on GitHub (Dec 1, 2022): +1 hope solve it

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@roo12312 commented on GitHub (Dec 2, 2022):

same here

<!-- gh-comment-id:1335136667 --> @roo12312 commented on GitHub (Dec 2, 2022): same here

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@DomBrownInOz commented on GitHub (Dec 3, 2022):

Yep. same here?

<!-- gh-comment-id:1336066012 --> @DomBrownInOz commented on GitHub (Dec 3, 2022): Yep. same here?

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@xnrbdev commented on GitHub (Dec 3, 2022):

Anyone had any luck with a older version ?

<!-- gh-comment-id:1336098460 --> @xnrbdev commented on GitHub (Dec 3, 2022): Anyone had any luck with a older version ?

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@OfficialMuffin commented on GitHub (Dec 3, 2022):

Same issue here

<!-- gh-comment-id:1336182424 --> @OfficialMuffin commented on GitHub (Dec 3, 2022): Same issue here

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Srcodesalittle commented on GitHub (Dec 3, 2022):

Same here, please advise

<!-- gh-comment-id:1336267884 --> @Srcodesalittle commented on GitHub (Dec 3, 2022): Same here, please advise

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@MarkoS046 commented on GitHub (Dec 4, 2022):

Same here :/

<!-- gh-comment-id:1336413018 --> @MarkoS046 commented on GitHub (Dec 4, 2022): Same here :/

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@YuraBogdan commented on GitHub (Dec 5, 2022):

Uncaught SyntaxError: Unexpected end of JSON input

FROM
./run: line 19:  1287 Trace/breakpoint trap   (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js

whenever you try to see if the server reachable, docker logs will display this error.

I've tried to pinpoint script that triggers but had no luck so far

<!-- gh-comment-id:1336734411 --> @YuraBogdan commented on GitHub (Dec 5, 2022): ``` Uncaught SyntaxError: Unexpected end of JSON input FROM ./run: line 19: 1287 Trace/breakpoint trap (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js ``` whenever you try to see if the server reachable, docker logs will display this error. I've tried to pinpoint script that triggers but had no luck so far

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@lazyzyf commented on GitHub (Dec 5, 2022):

npm       | `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method wil
l be removed in 3.0
npm       | `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` met
hod will be removed in 3.0
npm       | QueryBuilder#omit is deprecated. This method will be removed in version 3.0
npm       | Model#$omit is deprected and will be removed in 3.0.

<!-- gh-comment-id:1338043730 --> @lazyzyf commented on GitHub (Dec 5, 2022): ``` npm | `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method wil l be removed in 3.0 npm | `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` met hod will be removed in 3.0 npm | QueryBuilder#omit is deprecated. This method will be removed in version 3.0 npm | Model#$omit is deprected and will be removed in 3.0. ```

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@DelScipio commented on GitHub (Dec 6, 2022):

Same problem in all my servers. Nothing changed, worked fine till it doesnt.

<!-- gh-comment-id:1339379229 --> @DelScipio commented on GitHub (Dec 6, 2022): Same problem in all my servers. Nothing changed, worked fine till it doesnt.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@CristianEduardMihai commented on GitHub (Dec 6, 2022):

Same here. PM works fine on my Oracle Cloud hosts, but I'm facing this issue on my home server.

<!-- gh-comment-id:1339920686 --> @CristianEduardMihai commented on GitHub (Dec 6, 2022): Same here. PM works fine on my Oracle Cloud hosts, but I'm facing this issue on my home server.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@kiennt048 commented on GitHub (Dec 7, 2022):

same here, even install lastest version hardware

<!-- gh-comment-id:1340668144 --> @kiennt048 commented on GitHub (Dec 7, 2022): same here, even install lastest version hardware

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@gylove1994 commented on GitHub (Dec 8, 2022):

same here.

<!-- gh-comment-id:1342319163 --> @gylove1994 commented on GitHub (Dec 8, 2022): same here.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Radiofreqq commented on GitHub (Dec 9, 2022):

same. no joy. I'm new to all this and I've been beating my head thinking I messed up somewhere.

<!-- gh-comment-id:1343697700 --> @Radiofreqq commented on GitHub (Dec 9, 2022): same. no joy. I'm new to all this and I've been beating my head thinking I messed up somewhere.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 9, 2022):

I'm having the same issue.

<!-- gh-comment-id:1343991191 --> @bigbeka commented on GitHub (Dec 9, 2022): I'm having the same issue.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@tarkh commented on GitHub (Dec 9, 2022):

Yep, same issue.

<!-- gh-comment-id:1344074092 --> @tarkh commented on GitHub (Dec 9, 2022): Yep, same issue.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 9, 2022):

The only way I was able to get SSL is to Add host and request the SSL through the Host setup process.

<!-- gh-comment-id:1344077396 --> @bigbeka commented on GitHub (Dec 9, 2022): The only way I was able to get SSL is to Add host and request the SSL through the Host setup process. 

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Sebekerga commented on GitHub (Dec 9, 2022):

The wall of "same here" messages doesn't speed up the process of resolving this issue and it creates an unnecessary spam for those who follow issues via email.

If you want to help, please provide additional information such as logs, your settings, info about your setup or anything else that you think might be helpful.

If you want to show that you also are interested in solving this issue, consider just up-voting initial issue message, so that the counter will go up.

But please, stop spamming "same here"

EDIT: Want to make it clear, that I do not think bad of people who posted "same here" and just wanted to point out that it is not the most helpful approach for participating in issues, with peace and love

<!-- gh-comment-id:1344086360 --> @Sebekerga commented on GitHub (Dec 9, 2022): The wall of "same here" messages doesn't speed up the process of resolving this issue and it creates an unnecessary spam for those who follow issues via email. If you want to help, please provide additional information such as logs, your settings, info about your setup or anything else that you think might be helpful. If you want to show that you also are interested in solving this issue, consider just up-voting initial issue message, so that the counter will go up. But please, stop spamming "same here" EDIT: Want to make it clear, that I do not think bad of people who posted "same here" and just wanted to point out that it is not the most helpful approach for participating in issues, with peace and love

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 9, 2022):

@Sebekerga Agreed.

Here are most recent logs with Error/Failed tags. Happy to provide more if these are not helpful.

Failed to renew certificate npm-13 with error: Some challenges have failed.
Failed to renew certificate npm-14 with error: Some challenges have failed.
Failed to renew certificate npm-15 with error: Some challenges have failed.
Failed to renew certificate npm-17 with error: Some challenges have failed.
Failed to renew certificate npm-18 with error: Some challenges have failed.
Failed to renew certificate npm-20 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-13/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-14/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-15/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-17/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-18/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-20/fullchain.pem (failure)
6 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

<!-- gh-comment-id:1344095860 --> @bigbeka commented on GitHub (Dec 9, 2022): @Sebekerga Agreed. Here are most recent logs with Error/Failed tags. Happy to provide more if these are not helpful. ```[12/9/2022] [8:44:39 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-13 with error: Some challenges have failed. Failed to renew certificate npm-14 with error: Some challenges have failed. Failed to renew certificate npm-15 with error: Some challenges have failed. Failed to renew certificate npm-17 with error: Some challenges have failed. Failed to renew certificate npm-18 with error: Some challenges have failed. Failed to renew certificate npm-20 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-13/fullchain.pem (failure) /etc/letsencrypt/live/npm-14/fullchain.pem (failure) /etc/letsencrypt/live/npm-15/fullchain.pem (failure) /etc/letsencrypt/live/npm-17/fullchain.pem (failure) /etc/letsencrypt/live/npm-18/fullchain.pem (failure) /etc/letsencrypt/live/npm-20/fullchain.pem (failure) 6 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) ```

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@LucaVignati commented on GitHub (Dec 9, 2022):

After spending the night on it I found what was my issue.

I'm using NPM as a docker in unRAID, and for whatever reason the port settings of the template (where you specify the port forwarding at docker network level) changed.

Instead of forwarding port 180 to the internal port 80 and port 1443 to the internal port 443, the template was forwarding port 180 to port 180 and port 1443 to port 1443.

I changed it back to forwarding to 80 and 443 and now it's working.

<!-- gh-comment-id:1344114256 --> @LucaVignati commented on GitHub (Dec 9, 2022): After spending the night on it I found what was my issue. I'm using NPM as a docker in unRAID, and for whatever reason the port settings of the template (where you specify the port forwarding at docker network level) changed. Instead of forwarding port 180 to the internal port 80 and port 1443 to the internal port 443, the template was forwarding port 180 to port 180 and port 1443 to port 1443. I changed it back to forwarding to 80 and 443 and now it's working.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 9, 2022):

@LucaVignati Thanks for sharing, glad you solved your issue.

But this doesn't explain my case.
I am not using NPM, and my NGINX host is a docker image and ports 80 and 443 are pointing at the NGINX Proxy Manager Docker Container.

<!-- gh-comment-id:1344132196 --> @bigbeka commented on GitHub (Dec 9, 2022): @LucaVignati Thanks for sharing, glad you solved your issue. But this doesn't explain my case. I am not using NPM, and my NGINX host is a docker image and ports 80 and 443 are pointing at the NGINX Proxy Manager Docker Container.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Radiofreqq commented on GitHub (Dec 9, 2022):

The wall of "same here" messages doesn't speed up the process of resolving this issue and it creates an unnecessary spam for those who follow issues via email.

If you want to help, please provide additional information such as logs, your settings, info about your setup or anything else that you think might be helpful.

If you want to show that you also are interested in solving this issue, consider just up-voting initial issue message, so that the counter will go up.

But please, stop spamming "same here"

My apologies, I believe the reason people are adding "same here" or some derivative of that is because it makes them part of the conversation. So, when there is any update on the matter, they get notified. Please forgive me if there is a less intrusive way to accomplish these results. If you know of any, go ahead an inform the forum so future users don't follow the same method.

One a side note. My issue resolved by deleting the host and SSL cert in nginx and recreating it. I have done this a bunch of times in the past already and it didn't work. It just "worked" last night. Not sure why.

<!-- gh-comment-id:1344489688 --> @Radiofreqq commented on GitHub (Dec 9, 2022): > The wall of "same here" messages doesn't speed up the process of resolving this issue and it creates an unnecessary spam for those who follow issues via email. > > If you want to help, please provide additional information such as logs, your settings, info about your setup or anything else that you think might be helpful. > > If you want to show that you also are interested in solving this issue, consider just up-voting initial issue message, so that the counter will go up. > > But please, stop spamming "same here" My apologies, I believe the reason people are adding "same here" or some derivative of that is because it makes them part of the conversation. So, when there is any update on the matter, they get notified. Please forgive me if there is a less intrusive way to accomplish these results. If you know of any, go ahead an inform the forum so future users don't follow the same method. One a side note. My issue resolved by deleting the host and SSL cert in nginx and recreating it. I have done this a bunch of times in the past already and it didn't work. It just "worked" last night. Not sure why.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@patrick250709 commented on GitHub (Dec 9, 2022):

"Same Here" -> use the button Subscribe at the top on the right sidebar (pc)

I was having the same problems, and just to test it out, i disabled IPv6 through my docker-compose.yml

#docker-compose.yml
version: "3"
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    environment:
      # Uncomment this if you want to change the location of 
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

And now it creating proxy host with ssl work.
Will return when my instance of Nextcloud-aio is up and running, then i can test if my https://sub.domain-name.tld works

Edit
Tested my domain and Proxy Host works with ssl.
I still gets a error when testing the SSL certificate "Test Server Reachability"
Error: Communication with the API failed, is NPM running correctly?

<!-- gh-comment-id:1344626931 --> @patrick250709 commented on GitHub (Dec 9, 2022): **"Same Here"** -> use the button _Subscribe_ at the top on the right sidebar (pc) I was having the same problems, and just to test it out, i disabled IPv6 through my docker-compose.yml ``` #docker-compose.yml version: "3" services: app: image: 'jc21/nginx-proxy-manager:latest' restart: unless-stopped ports: # These ports are in format <host-port>:<container-port> - '80:80' # Public HTTP Port - '443:443' # Public HTTPS Port - '81:81' # Admin Web Port # Add any other Stream port you want to expose # - '21:21' # FTP # Uncomment the next line if you uncomment anything in the section environment: # Uncomment this if you want to change the location of # the SQLite DB file within the container # DB_SQLITE_FILE: "/data/database.sqlite" # Uncomment this if IPv6 is not enabled on your host DISABLE_IPV6: 'true' volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt ``` And now it creating proxy host with ssl work. Will return when my instance of Nextcloud-aio is up and running, then i can test if my https://sub.domain-name.tld works **Edit** Tested my domain and Proxy Host works with ssl. I still gets a error when testing the SSL certificate _"Test Server Reachability"_ Error: `Communication with the API failed, is NPM running correctly?`

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 9, 2022):

@patrick250709 Could you please try getting just the certificate under SSL Certificates tab (Without creating the host first)?

The Communication with the API failed, is NPM running correctly? error comes up when you try to add the Cert before creating the host but after pointing your DNS Records at the NGINX Proxy Manager host.

<!-- gh-comment-id:1344659832 --> @bigbeka commented on GitHub (Dec 9, 2022): @patrick250709 Could you please try getting just the certificate under `SSL Certificates` tab (Without creating the host first)? The `Communication with the API failed, is NPM running correctly?` error comes up when you try to add the Cert before creating the host but after pointing your DNS Records at the NGINX Proxy Manager host.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@patrick250709 commented on GitHub (Dec 9, 2022):

@patrick250709 Could you please try getting just the certificate under SSL Certificates tab (Without creating the host first)?

The Communication with the API failed, is NPM running correctly? error comes up when you try to add the Cert before creating the host but after pointing your DNS Records at the NGINX Proxy Manager host.

I just tried.

• Delete my Proxy Host and SSL-certificate entrance.
• Manually "Add SSL Certificate" - Worked

<!-- gh-comment-id:1344665039 --> @patrick250709 commented on GitHub (Dec 9, 2022): > @patrick250709 Could you please try getting just the certificate under `SSL Certificates` tab (Without creating the host first)? > > The `Communication with the API failed, is NPM running correctly?` error comes up when you try to add the Cert before creating the host but after pointing your DNS Records at the NGINX Proxy Manager host. I just tried. * Delete my Proxy Host and SSL-certificate entrance. * Manually "Add SSL Certificate" - Worked

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 9, 2022):

@patrick250709 No joy for me.

It turned out that my yml already had IPv6 disabled.

Test Server Reachability gives me Communication with the API failed, is NPM running correctly? and trying to request the SSL without testing gives me this:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-64" --agree-tos --authenticator webroot --email "abc@example.com" --preferred-challenges "dns,http" --domains "test.example.com" 
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-xyz/log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

<!-- gh-comment-id:1344677575 --> @bigbeka commented on GitHub (Dec 9, 2022): @patrick250709 No joy for me. It turned out that my yml already had IPv6 disabled. `Test Server Reachability` gives me `Communication with the API failed, is NPM running correctly?` and trying to request the SSL without testing gives me this: ``` Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-64" --agree-tos --authenticator webroot --email "abc@example.com" --preferred-challenges "dns,http" --domains "test.example.com" Another instance of Certbot is already running. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-xyz/log or re-run Certbot with -v for more details. at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) ```

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Srcodesalittle commented on GitHub (Dec 9, 2022):

Hi, for what it's worth, I solved it by remembering to change my dns records on cloudflare from proxied to DNS only, turning off both HTTPS only, automatic HTTPS rewrite., and changing certificate security from full to flexible This allowed proper HTTP communication to actually reach my server and the certs were pulled in 100% of the time. Once I received the required certs, I turned the protections and rewrites back on.

<!-- gh-comment-id:1344704126 --> @Srcodesalittle commented on GitHub (Dec 9, 2022): Hi, for what it's worth, I solved it by remembering to change my dns records on cloudflare from proxied to DNS only, turning off both HTTPS only, automatic HTTPS rewrite., and changing certificate security from full to flexible This allowed proper HTTP communication to actually reach my server and the certs were pulled in 100% of the time. Once I received the required certs, I turned the protections and rewrites back on.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 9, 2022):

@Srcodesalittle Exact steps that I used to take every time I created Certs. Since the issue started, nothing has changed. I have tried to reduce to Flexible, no joy either.

I might be missing something very obvious, I just need to sleep on it maybe.

<!-- gh-comment-id:1344710646 --> @bigbeka commented on GitHub (Dec 9, 2022): @Srcodesalittle Exact steps that I used to take every time I created Certs. Since the issue started, nothing has changed. I have tried to reduce to Flexible, no joy either. I might be missing something very obvious, I just need to sleep on it maybe.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Srcodesalittle commented on GitHub (Dec 9, 2022):

@Srcodesalittle Exact steps that I used to take every time I created Certs. Since the issue started, nothing has changed. I have tried to reduce to Flexible, no joy either.

I might be missing something very obvious, I just need to sleep on it maybe.

Sorry to hear that, the only thing I can think is whether the dns resolver on your docker image is working correctly and if you try too many cert requests, letsencrypt will time you out for a while (logs should tell you this). Other than that, not sure what could be happening.

<!-- gh-comment-id:1344713400 --> @Srcodesalittle commented on GitHub (Dec 9, 2022): > @Srcodesalittle Exact steps that I used to take every time I created Certs. Since the issue started, nothing has changed. I have tried to reduce to Flexible, no joy either. > > I might be missing something very obvious, I just need to sleep on it maybe. Sorry to hear that, the only thing I can think is whether the dns resolver on your docker image is working correctly and if you try too many cert requests, letsencrypt will time you out for a while (logs should tell you this). Other than that, not sure what could be happening.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 9, 2022):

@Srcodesalittle No, not at all mate.

I will give a try to fresh install on a fresh host to reproduce this. I will report back with results, hopefully with positive ones.

<!-- gh-comment-id:1344717826 --> @bigbeka commented on GitHub (Dec 9, 2022): @Srcodesalittle No, not at all mate. I will give a try to fresh install on a fresh host to reproduce this. I will report back with results, hopefully with positive ones.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@davix3f commented on GitHub (Dec 10, 2022):

@patrick250709 No joy for me.

It turned out that my yml already had IPv6 disabled.

Test Server Reachability gives me Communication with the API failed, is NPM running correctly? and trying to request the SSL without testing gives me this:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-64" --agree-tos --authenticator webroot --email "abc@example.com" --preferred-challenges "dns,http" --domains "test.example.com" 
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-xyz/log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

I get the same errors. I didn't change anything in my container since installation a year ago and just started popping this error on new certs, or updating old ones, updating the image didn't solve this issue. I also tried rolling back acme as suggested in the main post but didn't work. Any ideas? This is annoying

<!-- gh-comment-id:1345298077 --> @davix3f commented on GitHub (Dec 10, 2022): > @patrick250709 No joy for me. > > It turned out that my yml already had IPv6 disabled. > > `Test Server Reachability` gives me `Communication with the API failed, is NPM running correctly?` and trying to request the SSL without testing gives me this: > > ``` > Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-64" --agree-tos --authenticator webroot --email "abc@example.com" --preferred-challenges "dns,http" --domains "test.example.com" > Another instance of Certbot is already running. > Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-xyz/log or re-run Certbot with -v for more details. > > at ChildProcess.exithandler (node:child_process:402:12) > at ChildProcess.emit (node:events:513:28) > at maybeClose (node:internal/child_process:1100:16) > at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) > ``` I get the same errors. I didn't change anything in my container since installation a year ago and just started popping this error on new certs, or updating old ones, updating the image didn't solve this issue. I also tried rolling back acme as suggested in the main post but didn't work. Any ideas? This is annoying

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@r-hmn commented on GitHub (Dec 13, 2022):

Srcodesalittle
Hi, for what it's worth, I solved it by remembering to change my dns records on cloudflare from proxied to DNS only, turning off both HTTPS only, automatic HTTPS rewrite., and changing certificate security from full to flexible This allowed proper HTTP communication to actually reach my server and the certs were pulled in 100% of the time. Once I received the required certs, I turned the protections and rewrites back on.

Worked for me!✔
i had version v2.9.18, and noticed the SSL outdated, and renewal failed as this topic.
Communication with the API failed, is NPM running correctly?
i renewed the docker image and started, now version v2.9.19 and also SSL renewal failed.
I went to the "proxy-host" and disabled "force SSL" for that host.
Then under the "SSL sertificates" tried "renew now" for that host, and it worked!

<!-- gh-comment-id:1348395906 --> @r-hmn commented on GitHub (Dec 13, 2022): >[Srcodesalittle](https://github.com/Srcodesalittle) Hi, for what it's worth, I solved it by remembering to change my dns records on cloudflare from proxied to DNS only, turning off both HTTPS only, automatic HTTPS rewrite., and changing certificate security from full to flexible This allowed proper HTTP communication to actually reach my server and the certs were pulled in 100% of the time. Once I received the required certs, I turned the protections and rewrites back on. Worked for me!✔ i had version v2.9.18, and noticed the SSL outdated, and renewal failed as this topic. `Communication with the API failed, is NPM running correctly?` i renewed the docker image and started, now version v2.9.19 and also SSL renewal failed. I went to the "proxy-host" and disabled "force SSL" for that host. Then under the "SSL sertificates" tried "renew now" for that host, and it worked!

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 13, 2022):

Renewing an existing SSL cert is not an issue from the SSL tab.
Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails.

Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet?

<!-- gh-comment-id:1348410225 --> @bigbeka commented on GitHub (Dec 13, 2022): > Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails. Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet?

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Srcodesalittle commented on GitHub (Dec 13, 2022):

Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails.

Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet?

I'm away from my server at the moment and can't check right now. I'll try to get back to you soon.

<!-- gh-comment-id:1349241314 --> @Srcodesalittle commented on GitHub (Dec 13, 2022): > > > > Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails. > > Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet? I'm away from my server at the moment and can't check right now. I'll try to get back to you soon.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@rumplin commented on GitHub (Dec 13, 2022):

Today some certificates expired for my sites and I'm struggling to get it back.

Here are the logs from the container:

2022-12-13T19:24:50.625796744Z [12/13/2022] [8:24:50 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
2022-12-13T19:24:50.625869881Z [12/13/2022] [8:24:50 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
2022-12-13T19:24:50.629915615Z [12/13/2022] [8:24:50 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
2022-12-13T19:24:50.896222410Z [12/13/2022] [8:24:50 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
2022-12-13T19:24:51.041405201Z [12/13/2022] [8:24:51 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
2022-12-13T19:24:51.180183421Z [12/13/2022] [8:24:51 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
2022-12-13T19:24:51.180235168Z Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken.
2022-12-13T19:24:51.180240077Z The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink
2022-12-13T19:24:51.180256288Z Skipping.
2022-12-13T19:24:51.180259414Z Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
2022-12-13T19:24:51.180262249Z The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
2022-12-13T19:24:51.180265285Z Skipping.
2022-12-13T19:24:51.180268420Z Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken.
2022-12-13T19:24:51.180280744Z The error was: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink
2022-12-13T19:24:51.180284200Z Skipping.
2022-12-13T19:24:51.180287045Z Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf is broken.
2022-12-13T19:24:51.180289951Z The error was: expected /etc/letsencrypt/live/npm-4/cert.pem to be a symlink
2022-12-13T19:24:51.180296834Z Skipping.
2022-12-13T19:24:51.180299749Z Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf is broken.
2022-12-13T19:24:51.180302645Z The error was: expected /etc/letsencrypt/live/npm-5/cert.pem to be a symlink
2022-12-13T19:24:51.180309367Z Skipping.
2022-12-13T19:24:51.180312193Z 0 renew failure(s), 5 parse failure(s)
2022-12-13T19:24:51.180315329Z 
2022-12-13T19:24:51.180318194Z     at ChildProcess.exithandler (node:child_process:402:12)
2022-12-13T19:24:51.180321099Z     at ChildProcess.emit (node:events:513:28)
2022-12-13T19:24:51.180323835Z     at maybeClose (node:internal/child_process:1100:16)
2022-12-13T19:24:51.180330327Z     at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
2022-12-13T19:24:51.201348545Z [12/13/2022] [8:24:51 PM] [Nginx    ] › ℹ  info      Reloading Nginx
2022-12-13T20:10:48.684400673Z [12/13/2022] [9:10:48 PM] [Express  ] › ⚠  warning   invalid signature
2022-12-13T20:10:52.155386518Z `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
2022-12-13T20:10:52.156477415Z `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
2022-12-13T20:10:52.161289113Z QueryBuilder#omit is deprecated. This method will be removed in version 3.0
2022-12-13T20:10:52.163846892Z Model#$omit is deprected and will be removed in 3.0.
2022-12-13T20:10:58.871617045Z [12/13/2022] [9:10:58 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #4: CENSORED.si
2022-12-13T20:10:58.871650769Z [12/13/2022] [9:10:58 PM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-4" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
2022-12-13T20:10:59.249930474Z [12/13/2022] [9:10:59 PM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-4" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
2022-12-13T20:10:59.249986269Z Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-12-13T20:10:59.249991018Z Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf is broken.
2022-12-13T20:10:59.249994053Z The error was: expected /etc/letsencrypt/live/npm-4/cert.pem to be a symlink
2022-12-13T20:10:59.249997089Z Skipping.
2022-12-13T20:10:59.250000115Z 0 renew failure(s), 1 parse failure(s)
2022-12-13T20:10:59.250014361Z Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

and logs from /var/log/letsencrypt/letsencrypt.log

2022-12-13 21:15:11,720:DEBUG:certbot._internal.main:certbot version: 1.31.0
2022-12-13 21:15:11,720:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-12-13 21:15:11,720:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--quiet', '--config', '/etc/letsencrypt.ini', '--preferred-challenges', 'dns,http', '--disable-hook-validation']
2022-12-13 21:15:11,720:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-12-13 21:15:11,727:DEBUG:certbot._internal.log:Root logging level set at 40
2022-12-13 21:15:11,728:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-1.conf
2022-12-13 21:15:11,729:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken.
2022-12-13 21:15:11,729:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink
Skipping.
2022-12-13 21:15:11,729:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__
    self._check_symlinks()
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink

2022-12-13 21:15:11,729:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-2.conf
2022-12-13 21:15:11,730:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
2022-12-13 21:15:11,730:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Skipping.
2022-12-13 21:15:11,730:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__
    self._check_symlinks()
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink

2022-12-13 21:15:11,730:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-3.conf
2022-12-13 21:15:11,730:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken.
2022-12-13 21:15:11,730:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink
Skipping.
2022-12-13 21:15:11,731:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__
    self._check_symlinks()
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink

2022-12-13 21:15:11,731:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-4.conf
2022-12-13 21:15:11,731:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf is broken.
2022-12-13 21:15:11,731:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-4/cert.pem to be a symlink
Skipping.
2022-12-13 21:15:11,731:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__
    self._check_symlinks()
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-4/cert.pem to be a symlink

2022-12-13 21:15:11,731:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-5.conf
2022-12-13 21:15:11,732:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf is broken.
2022-12-13 21:15:11,732:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-5/cert.pem to be a symlink
Skipping.
2022-12-13 21:15:11,732:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__
    self._check_symlinks()
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-5/cert.pem to be a symlink

2022-12-13 21:15:11,732:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-7.conf
2022-12-13 21:15:11,742:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f561e33d9e8> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f561e33d9e8>
2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var pref_challs=dns,http (set by user).
2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var preferred_chain=ISRG Root X1 (set by user).
2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var key_type=ecdsa (set by user).
2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var elliptic_curve=secp384r1 (set by user).
2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user).
2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var webroot_map={'webroot_path'} (set by user).
2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user).
2022-12-13 21:15:11,763:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-12-13 21:15:11,854:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-12-13 21:15:11,855:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/npm-7/cert2.pem is signed by the certificate's issuer.
2022-12-13 21:15:11,856:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/npm-7/cert2.pem is: OCSPCertStatus.GOOD
2022-12-13 21:15:11,858:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-12-13 21:15:11,858:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-12-13 21:15:11,858:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-8.conf
2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var pref_challs=dns,http (set by user).
2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var preferred_chain=ISRG Root X1 (set by user).
2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var key_type=ecdsa (set by user).
2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var elliptic_curve=secp384r1 (set by user).
2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user).
2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var webroot_map={'webroot_path'} (set by user).
2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user).
2022-12-13 21:15:11,868:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-12-13 21:15:11,930:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-12-13 21:15:11,930:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/npm-8/cert2.pem is signed by the certificate's issuer.
2022-12-13 21:15:11,931:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/npm-8/cert2.pem is: OCSPCertStatus.GOOD
2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-12-13 21:15:11,931:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/live/npm-7/fullchain.pem expires on 2023-03-09 (skipped)
  /etc/letsencrypt/live/npm-8/fullchain.pem expires on 2023-03-09 (skipped)
2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2022-12-13 21:15:11,932:DEBUG:certbot._internal.display.obj:Notifying user: 
Additionally, the following renewal configurations were invalid: 
2022-12-13 21:15:11,932:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/renewal/npm-1.conf (parsefail)
  /etc/letsencrypt/renewal/npm-2.conf (parsefail)
  /etc/letsencrypt/renewal/npm-3.conf (parsefail)
  /etc/letsencrypt/renewal/npm-4.conf (parsefail)
  /etc/letsencrypt/renewal/npm-5.conf (parsefail)
2022-12-13 21:15:11,932:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-12-13 21:15:11,932:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1630, in renew
    renewal.handle_renewal_request(config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 511, in handle_renewal_request
    f"{len(renew_failures)} renew failure(s), {len(parse_failures)} parse failure(s)")
certbot.errors.Error: 0 renew failure(s), 5 parse failure(s)
2022-12-13 21:15:11,932:ERROR:certbot._internal.log:0 renew failure(s), 5 parse failure(s)

<!-- gh-comment-id:1349636217 --> @rumplin commented on GitHub (Dec 13, 2022): Today some certificates expired for my sites and I'm struggling to get it back. Here are the logs from the container: ``` 2022-12-13T19:24:50.625796744Z [12/13/2022] [8:24:50 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... 2022-12-13T19:24:50.625869881Z [12/13/2022] [8:24:50 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json 2022-12-13T19:24:50.629915615Z [12/13/2022] [8:24:50 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... 2022-12-13T19:24:50.896222410Z [12/13/2022] [8:24:50 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 2022-12-13T19:24:51.041405201Z [12/13/2022] [8:24:51 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 2022-12-13T19:24:51.180183421Z [12/13/2022] [8:24:51 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation 2022-12-13T19:24:51.180235168Z Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken. 2022-12-13T19:24:51.180240077Z The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink 2022-12-13T19:24:51.180256288Z Skipping. 2022-12-13T19:24:51.180259414Z Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken. 2022-12-13T19:24:51.180262249Z The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink 2022-12-13T19:24:51.180265285Z Skipping. 2022-12-13T19:24:51.180268420Z Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken. 2022-12-13T19:24:51.180280744Z The error was: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink 2022-12-13T19:24:51.180284200Z Skipping. 2022-12-13T19:24:51.180287045Z Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf is broken. 2022-12-13T19:24:51.180289951Z The error was: expected /etc/letsencrypt/live/npm-4/cert.pem to be a symlink 2022-12-13T19:24:51.180296834Z Skipping. 2022-12-13T19:24:51.180299749Z Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf is broken. 2022-12-13T19:24:51.180302645Z The error was: expected /etc/letsencrypt/live/npm-5/cert.pem to be a symlink 2022-12-13T19:24:51.180309367Z Skipping. 2022-12-13T19:24:51.180312193Z 0 renew failure(s), 5 parse failure(s) 2022-12-13T19:24:51.180315329Z 2022-12-13T19:24:51.180318194Z at ChildProcess.exithandler (node:child_process:402:12) 2022-12-13T19:24:51.180321099Z at ChildProcess.emit (node:events:513:28) 2022-12-13T19:24:51.180323835Z at maybeClose (node:internal/child_process:1100:16) 2022-12-13T19:24:51.180330327Z at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) 2022-12-13T19:24:51.201348545Z [12/13/2022] [8:24:51 PM] [Nginx ] › ℹ info Reloading Nginx 2022-12-13T20:10:48.684400673Z [12/13/2022] [9:10:48 PM] [Express ] › ⚠ warning invalid signature 2022-12-13T20:10:52.155386518Z `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0 2022-12-13T20:10:52.156477415Z `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0 2022-12-13T20:10:52.161289113Z QueryBuilder#omit is deprecated. This method will be removed in version 3.0 2022-12-13T20:10:52.163846892Z Model#$omit is deprected and will be removed in 3.0. 2022-12-13T20:10:58.871617045Z [12/13/2022] [9:10:58 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #4: CENSORED.si 2022-12-13T20:10:58.871650769Z [12/13/2022] [9:10:58 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-4" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 2022-12-13T20:10:59.249930474Z [12/13/2022] [9:10:59 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-4" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 2022-12-13T20:10:59.249986269Z Saving debug log to /var/log/letsencrypt/letsencrypt.log 2022-12-13T20:10:59.249991018Z Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf is broken. 2022-12-13T20:10:59.249994053Z The error was: expected /etc/letsencrypt/live/npm-4/cert.pem to be a symlink 2022-12-13T20:10:59.249997089Z Skipping. 2022-12-13T20:10:59.250000115Z 0 renew failure(s), 1 parse failure(s) 2022-12-13T20:10:59.250014361Z Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ``` and logs from /var/log/letsencrypt/letsencrypt.log ``` 2022-12-13 21:15:11,720:DEBUG:certbot._internal.main:certbot version: 1.31.0 2022-12-13 21:15:11,720:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot 2022-12-13 21:15:11,720:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--quiet', '--config', '/etc/letsencrypt.ini', '--preferred-challenges', 'dns,http', '--disable-hook-validation'] 2022-12-13 21:15:11,720:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2022-12-13 21:15:11,727:DEBUG:certbot._internal.log:Root logging level set at 40 2022-12-13 21:15:11,728:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-1.conf 2022-12-13 21:15:11,729:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken. 2022-12-13 21:15:11,729:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink Skipping. 2022-12-13 21:15:11,729:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__ self._check_symlinks() File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks "expected {0} to be a symlink".format(link)) certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink 2022-12-13 21:15:11,729:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-2.conf 2022-12-13 21:15:11,730:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken. 2022-12-13 21:15:11,730:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink Skipping. 2022-12-13 21:15:11,730:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__ self._check_symlinks() File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks "expected {0} to be a symlink".format(link)) certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink 2022-12-13 21:15:11,730:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-3.conf 2022-12-13 21:15:11,730:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken. 2022-12-13 21:15:11,730:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink Skipping. 2022-12-13 21:15:11,731:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__ self._check_symlinks() File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks "expected {0} to be a symlink".format(link)) certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink 2022-12-13 21:15:11,731:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-4.conf 2022-12-13 21:15:11,731:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf is broken. 2022-12-13 21:15:11,731:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-4/cert.pem to be a symlink Skipping. 2022-12-13 21:15:11,731:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__ self._check_symlinks() File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks "expected {0} to be a symlink".format(link)) certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-4/cert.pem to be a symlink 2022-12-13 21:15:11,731:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-5.conf 2022-12-13 21:15:11,732:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf is broken. 2022-12-13 21:15:11,732:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-5/cert.pem to be a symlink Skipping. 2022-12-13 21:15:11,732:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 77, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 504, in __init__ self._check_symlinks() File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/storage.py", line 578, in _check_symlinks "expected {0} to be a symlink".format(link)) certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-5/cert.pem to be a symlink 2022-12-13 21:15:11,732:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-7.conf 2022-12-13 21:15:11,742:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f561e33d9e8> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f561e33d9e8> 2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var pref_challs=dns,http (set by user). 2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var preferred_chain=ISRG Root X1 (set by user). 2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var key_type=ecdsa (set by user). 2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var elliptic_curve=secp384r1 (set by user). 2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user). 2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var webroot_map={'webroot_path'} (set by user). 2022-12-13 21:15:11,742:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user). 2022-12-13 21:15:11,763:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80 2022-12-13 21:15:11,854:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503 2022-12-13 21:15:11,855:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/npm-7/cert2.pem is signed by the certificate's issuer. 2022-12-13 21:15:11,856:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/npm-7/cert2.pem is: OCSPCertStatus.GOOD 2022-12-13 21:15:11,858:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal 2022-12-13 21:15:11,858:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None 2022-12-13 21:15:11,858:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-8.conf 2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var pref_challs=dns,http (set by user). 2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var preferred_chain=ISRG Root X1 (set by user). 2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var key_type=ecdsa (set by user). 2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var elliptic_curve=secp384r1 (set by user). 2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user). 2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var webroot_map={'webroot_path'} (set by user). 2022-12-13 21:15:11,859:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user). 2022-12-13 21:15:11,868:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80 2022-12-13 21:15:11,930:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503 2022-12-13 21:15:11,930:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/npm-8/cert2.pem is signed by the certificate's issuer. 2022-12-13 21:15:11,931:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/npm-8/cert2.pem is: OCSPCertStatus.GOOD 2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal 2022-12-13 21:15:11,931:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None 2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet: 2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/npm-7/fullchain.pem expires on 2023-03-09 (skipped) /etc/letsencrypt/live/npm-8/fullchain.pem expires on 2023-03-09 (skipped) 2022-12-13 21:15:11,931:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted. 2022-12-13 21:15:11,932:DEBUG:certbot._internal.display.obj:Notifying user: Additionally, the following renewal configurations were invalid: 2022-12-13 21:15:11,932:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/renewal/npm-1.conf (parsefail) /etc/letsencrypt/renewal/npm-2.conf (parsefail) /etc/letsencrypt/renewal/npm-3.conf (parsefail) /etc/letsencrypt/renewal/npm-4.conf (parsefail) /etc/letsencrypt/renewal/npm-5.conf (parsefail) 2022-12-13 21:15:11,932:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2022-12-13 21:15:11,932:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 8, in <module> sys.exit(main()) File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1744, in main return config.func(config, plugins) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1630, in renew renewal.handle_renewal_request(config) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 511, in handle_renewal_request f"{len(renew_failures)} renew failure(s), {len(parse_failures)} parse failure(s)") certbot.errors.Error: 0 renew failure(s), 5 parse failure(s) 2022-12-13 21:15:11,932:ERROR:certbot._internal.log:0 renew failure(s), 5 parse failure(s) ```

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@rumplin commented on GitHub (Dec 13, 2022):

As a workaround I did the following:

1. Go to UI and use the /nginx/certificates
2. Delete the expired certificates
3. Go to /nginx/proxy
4. Edit the site
5. Go to the SSL tab
6. Select "Request a new SSL Certificate"
7. Select your checkboxes that you want
8. Click Save

<!-- gh-comment-id:1349648633 --> @rumplin commented on GitHub (Dec 13, 2022): As a workaround I did the following: 1. Go to UI and use the <NPM web address>/nginx/certificates 2. Delete the expired certificates 3. Go to <NPM web address>/nginx/proxy 4. Edit the site 5. Go to the SSL tab 6. Select "Request a new SSL Certificate" 7. Select your checkboxes that you want 8. Click Save

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Srcodesalittle commented on GitHub (Dec 18, 2022):

Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails.

Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet?

Hi I just created a new cert for my domain and it works fine. No issues

<!-- gh-comment-id:1356844464 --> @Srcodesalittle commented on GitHub (Dec 18, 2022): > > > > Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails. > > Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet? Hi I just created a new cert for my domain and it works fine. No issues

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@RobusTetus commented on GitHub (Dec 19, 2022):

Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails.
Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet?

Hi I just created a new cert for my domain and it works fine. No issues

It works only for a while when you first pull the images and make a completely new and fresh container of npm without any volumes saved. Then after I add like 4 hosts, each with it's own cert, it breaks and refuses to even make a new certificate. No matter if I try to add it when adding a new proxy host or directly through the SSL cert tab.

<!-- gh-comment-id:1358155423 --> @RobusTetus commented on GitHub (Dec 19, 2022): > > > > > > > > > Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails. > > Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet? > > Hi I just created a new cert for my domain and it works fine. No issues It works only for a while when you first pull the images and make a completely new and fresh container of npm without any volumes saved. Then after I add like 4 hosts, each with it's own cert, it breaks and refuses to even make a new certificate. No matter if I try to add it when adding a new proxy host or directly through the SSL cert tab.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Srcodesalittle commented on GitHub (Dec 19, 2022):

Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails.
Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet?

Hi I just created a new cert for my domain and it works fine. No issues

It works only for a while when you first pull the images and make a completely new and fresh container of npm without any volumes saved. Then after I add like 4 hosts, each with it's own cert, it breaks and refuses to even make a new certificate. No matter if I try to add it when adding a new proxy host or directly through the SSL cert tab.

Not to discount your experience, but my NPM is already running close to ten hosts on different domains. As I mentioned in my comment, that is the state where I added a new cert to a new sub domain and it worked fine.

<!-- gh-comment-id:1358370548 --> @Srcodesalittle commented on GitHub (Dec 19, 2022): > > > > > > > > > > > > > Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails. > > > Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet? > > > > > > Hi I just created a new cert for my domain and it works fine. No issues > > It works only for a while when you first pull the images and make a completely new and fresh container of npm without any volumes saved. Then after I add like 4 hosts, each with it's own cert, it breaks and refuses to even make a new certificate. No matter if I try to add it when adding a new proxy host or directly through the SSL cert tab. Not to discount your experience, but my NPM is already running close to ten hosts on different domains. As I mentioned in my comment, that is the state where I added a new cert to a new sub domain and it worked fine.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@RobusTetus commented on GitHub (Dec 20, 2022):

Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails.
Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet?

Hi I just created a new cert for my domain and it works fine. No issues

It works only for a while when you first pull the images and make a completely new and fresh container of npm without any volumes saved. Then after I add like 4 hosts, each with it's own cert, it breaks and refuses to even make a new certificate. No matter if I try to add it when adding a new proxy host or directly through the SSL cert tab.

Not to discount your experience, but my NPM is already running close to ten hosts on different domains. As I mentioned in my comment, that is the state where I added a new cert to a new sub domain and it worked fine.

That is even more confusing to me then. What version of npm are you using? I'm on v2.9.19 - which should be the latest from docker hub. It did it the first time I set up my server (that was like 2.9.18) and then repulled the images and rebuilt the container and it broke again.

<!-- gh-comment-id:1360478478 --> @RobusTetus commented on GitHub (Dec 20, 2022): > > > > > > > > > > > > > > > > > Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails. > > > > Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet? > > > > > > > > > Hi I just created a new cert for my domain and it works fine. No issues > > > > > > It works only for a while when you first pull the images and make a completely new and fresh container of npm without any volumes saved. Then after I add like 4 hosts, each with it's own cert, it breaks and refuses to even make a new certificate. No matter if I try to add it when adding a new proxy host or directly through the SSL cert tab. > > Not to discount your experience, but my NPM is already running close to ten hosts on different domains. As I mentioned in my comment, that is the state where I added a new cert to a new sub domain and it worked fine. That is even more confusing to me then. What version of npm are you using? I'm on v2.9.19 - which should be the latest from docker hub. It did it the first time I set up my server (that was like 2.9.18) and then repulled the images and rebuilt the container and it broke again.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Srcodesalittle commented on GitHub (Dec 21, 2022):

Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails.
Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet?

Hi I just created a new cert for my domain and it works fine. No issues

It works only for a while when you first pull the images and make a completely new and fresh container of npm without any volumes saved. Then after I add like 4 hosts, each with it's own cert, it breaks and refuses to even make a new certificate. No matter if I try to add it when adding a new proxy host or directly through the SSL cert tab.

Not to discount your experience, but my NPM is already running close to ten hosts on different domains. As I mentioned in my comment, that is the state where I added a new cert to a new sub domain and it worked fine.

That is even more confusing to me then. What version of npm are you using? I'm on v2.9.19 - which should be the latest from docker hub. It did it the first time I set up my server (that was like 2.9.18) and then repulled the images and rebuilt the container and it broke again.

I'm on 2.9.18 just checked

<!-- gh-comment-id:1360719440 --> @Srcodesalittle commented on GitHub (Dec 21, 2022): > > > > > > > > > > > > > > > > > > > > > Renewing an existing SSL cert is not an issue from the SSL tab. Generating new SSL cert for a domain that is correctly pointed to the NGINX Proxy Manager fails. > > > > > Can you try to generate a new SSL cert for a domain that is pointing to your host, but doesn't have the cert yet? > > > > > > > > > > > > Hi I just created a new cert for my domain and it works fine. No issues > > > > > > > > > It works only for a while when you first pull the images and make a completely new and fresh container of npm without any volumes saved. Then after I add like 4 hosts, each with it's own cert, it breaks and refuses to even make a new certificate. No matter if I try to add it when adding a new proxy host or directly through the SSL cert tab. > > > > > > Not to discount your experience, but my NPM is already running close to ten hosts on different domains. As I mentioned in my comment, that is the state where I added a new cert to a new sub domain and it worked fine. > > That is even more confusing to me then. What version of npm are you using? I'm on v2.9.19 - which should be the latest from docker hub. It did it the first time I set up my server (that was like 2.9.18) and then repulled the images and rebuilt the container and it broke again. I'm on 2.9.18 just checked

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@Voxis commented on GitHub (Dec 21, 2022):

hey guys, i just started my own domain. I tried the button it did not work (test if it works) like the thread indicates. but I am able to create ssl cert fine. I dont know about renew as of yet. so just letting you know that the creation part is working for me.

<!-- gh-comment-id:1360991323 --> @Voxis commented on GitHub (Dec 21, 2022): hey guys, i just started my own domain. I tried the button it did not work (test if it works) like the thread indicates. but I am able to create ssl cert fine. I dont know about renew as of yet. so just letting you know that the creation part is working for me.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@rumplin commented on GitHub (Dec 22, 2022):

This morning all my sites are greeting visitors with a red background and "Google Safe Browsing recently detected phishing", it must be related to recent certificate shenanigans... Ohh joy.

<!-- gh-comment-id:1362604362 --> @rumplin commented on GitHub (Dec 22, 2022): This morning all my sites are greeting visitors with a red background and "Google Safe Browsing recently detected phishing", it must be related to recent certificate shenanigans... Ohh joy.

kerem commented 2026-02-26 07:31:05 +03:00

Author

Owner

Copy link

@kitoming commented on GitHub (Dec 27, 2022):

Hello, in my case I solved the problem.
First I also got this "internal error" or "Communication with the API failed, is NPM running correctly?".
Then I removed the certificat and tried to recertify it and got the same, but got the message in the red box "Another instance of Certbot is already running".
My solution I found: https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690

After doing that I registered the certificat by the "edit proxy host" menu!
PS: I updated my version to 2.9.19

<!-- gh-comment-id:1365853135 --> @kitoming commented on GitHub (Dec 27, 2022): Hello, in my case I solved the problem. First I also got this "internal error" or "Communication with the API failed, is NPM running correctly?". Then I removed the certificat and tried to recertify it and got the same, but got the message in the red box "_Another instance of Certbot is already running_". **My solution I found:** https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690 After doing that I registered the certificat by the "edit proxy host" menu! PS: I updated my version to 2.9.19

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Dec 27, 2022):

@kitoming Yes, but that still doesn't solve the problem with getting new certificated under 'SSL Cert' tab. A fresh cert without host pointing at a service.

By way of update, I have installed a new droplet on DO, with a fresh IP, with fresh Docker, with fresh install of NGINX Proxy Manager, and tried to 'Test reachability', still gives me the same error. Not sure if it is even worth typing here, as no contributors or maintainers of this project have replied.

<!-- gh-comment-id:1365895686 --> @bigbeka commented on GitHub (Dec 27, 2022): @kitoming Yes, but that still doesn't solve the problem with getting new certificated under 'SSL Cert' tab. A fresh cert without host pointing at a service. By way of update, I have installed a new droplet on DO, with a fresh IP, with fresh Docker, with fresh install of NGINX Proxy Manager, and tried to 'Test reachability', still gives me the same error. Not sure if it is even worth typing here, as no contributors or maintainers of this project have replied.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@SriharshaShesham commented on GitHub (Dec 27, 2022):

Hi all,
In my case the error got resolved by itself. I have tried many of the things above. Initially disabling force SSL and trying to generate the certificate failed. However it worked the next day. From last couple of days all the methods are working as expected. I personally think LetsEncrypt have updated something recently.

<!-- gh-comment-id:1365959070 --> @SriharshaShesham commented on GitHub (Dec 27, 2022): Hi all, In my case the error got resolved by itself. I have tried many of the things above. Initially disabling force SSL and trying to generate the certificate failed. However it worked the next day. From last couple of days all the methods are working as expected. I personally think LetsEncrypt have updated something recently.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@lmatzer commented on GitHub (Dec 28, 2022):

Hi all, In my case the error got resolved by itself. I have tried many of the things above. Initially disabling force SSL and trying to generate the certificate failed. However it worked the next day. From last couple of days all the methods are working as expected. I personally think LetsEncrypt have updated something recently.

I can not reproduce that. Still none of the certificate generation methods works for me, even above cloudflare workaround has no effect.

<!-- gh-comment-id:1366593619 --> @lmatzer commented on GitHub (Dec 28, 2022): > Hi all, In my case the error got resolved by itself. I have tried many of the things above. Initially disabling force SSL and trying to generate the certificate failed. However it worked the next day. From last couple of days all the methods are working as expected. I personally think LetsEncrypt have updated something recently. I can not reproduce that. Still none of the certificate generation methods works for me, even above cloudflare workaround has no effect.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@SriharshaShesham commented on GitHub (Dec 28, 2022):

Hi all, In my case the error got resolved by itself. I have tried many of the things above. Initially disabling force SSL and trying to generate the certificate failed. However it worked the next day. From last couple of days all the methods are working as expected. I personally think LetsEncrypt have updated something recently.

I can not reproduce that. Still none of the certificate generation methods works for me, even above cloudflare workaround has no effect.

Try these
-> Create Proxy, close
-> edit proxy, request SSL without force

Forgot to mention, I had to do the DNS Challenge way couple of times before getting the SSL to work without DNS challenge

<!-- gh-comment-id:1366700307 --> @SriharshaShesham commented on GitHub (Dec 28, 2022): > > Hi all, In my case the error got resolved by itself. I have tried many of the things above. Initially disabling force SSL and trying to generate the certificate failed. However it worked the next day. From last couple of days all the methods are working as expected. I personally think LetsEncrypt have updated something recently. > > I can not reproduce that. Still none of the certificate generation methods works for me, even above cloudflare workaround has no effect. Try these -> Create Proxy, close -> edit proxy, request SSL without force Forgot to mention, I had to do the DNS Challenge way couple of times before getting the SSL to work without DNS challenge

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@johndoe0815 commented on GitHub (Jan 10, 2023):

My NPM was working fine for months, now I just realized that it does not auto-renew certificates anymore (which it did until a certain point in time, maybe the last update?).

The odd thing is, issuing new certificates works. Also when I manually click on "renew now", it renews without any issues. But when I click on "test server reachability" I get "Communication with the API failed, is NPM running correctly?". So basically I am just missing the automatism to not have to renew my certificates manually every few months.

<!-- gh-comment-id:1376876831 --> @johndoe0815 commented on GitHub (Jan 10, 2023): My NPM was working fine for months, now I just realized that it does not auto-renew certificates anymore (which it did until a certain point in time, maybe the last update?). The odd thing is, issuing new certificates works. Also when I manually click on "renew now", it renews without any issues. But when I click on "test server reachability" I get "Communication with the API failed, is NPM running correctly?". So basically I am just missing the automatism to not have to renew my certificates manually every few months.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@nagalakshmi896 commented on GitHub (Jan 16, 2023):

Test Server Reachability gives me Communication with the API failed, is NPM running correctly? and trying to request the SSL without testing gives me this:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-64" --agree-tos --authenticator webroot --email "abc@example.com" --preferred-challenges "dns,http" --domains "test.example.com" 
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-xyz/log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

@bigbeka,
@ahmedelemamn
step 1: The above issue is solved by opening the nginx proxy manager instance or server 80 port to public(check for your server in Digital ocean or others )
step 2:Then try to request new ssl certificate
Note: For generate ssl certficates the nginx proxy manager server should be exposed to public then only ssl certificates will generate without errors

<!-- gh-comment-id:1383655858 --> @nagalakshmi896 commented on GitHub (Jan 16, 2023): > > `Test Server Reachability` gives me `Communication with the API failed, is NPM running correctly?` and trying to request the SSL without testing gives me this: > > ``` > Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-64" --agree-tos --authenticator webroot --email "abc@example.com" --preferred-challenges "dns,http" --domains "test.example.com" > Another instance of Certbot is already running. > Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-xyz/log or re-run Certbot with -v for more details. > > at ChildProcess.exithandler (node:child_process:402:12) > at ChildProcess.emit (node:events:513:28) > at maybeClose (node:internal/child_process:1100:16) > at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) > ``` @bigbeka, @ahmedelemamn step 1: The above issue is solved by opening the nginx proxy manager instance or server 80 port to public(check for your server in Digital ocean or others ) step 2:Then try to request new ssl certificate Note: For generate ssl certficates the nginx proxy manager server should be exposed to public then only ssl certificates will generate without errors 

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Jan 16, 2023):

@nagalakshmi896 Step 1 does not make sense as anyone using NGINX Proxy Manager need to expose port 80 to public.

<!-- gh-comment-id:1383662152 --> @bigbeka commented on GitHub (Jan 16, 2023): @nagalakshmi896 Step 1 does not make sense as anyone using NGINX Proxy Manager need to expose port 80 to public.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@nagalakshmi896 commented on GitHub (Jan 16, 2023):

@nagalakshmi896 Step 1 does not make sense as anyone using NGINX Proxy Manager need to expose port 80 to public.

@bigbeka
I am not telling like NGINX Proxy Manager need to expose port 80 to public.(Where NPM is installed that server should be opened to 80 (to public)
please try by open the inbound rules 80 and 443

<!-- gh-comment-id:1383682463 --> @nagalakshmi896 commented on GitHub (Jan 16, 2023): > @nagalakshmi896 Step 1 does not make sense as anyone using NGINX Proxy Manager need to expose port 80 to public.  @bigbeka I am not telling like NGINX Proxy Manager need to expose port 80 to public.(Where NPM is installed that **server** should be opened to 80 (to public) please try by open the inbound rules 80 and 443

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Jan 16, 2023):

@nagalakshmi896 Yes, UFW in/out bound traffic for ports 80 & 443 on UDP & TCP is enabled. Still no joy.

<!-- gh-comment-id:1383704088 --> @bigbeka commented on GitHub (Jan 16, 2023): @nagalakshmi896 Yes, UFW in/out bound traffic for ports 80 & 443 on UDP & TCP is enabled. Still no joy. 

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@styxadmin commented on GitHub (Jan 17, 2023):

I am having the same issue as everything above. I initially thought it may have been a change I made to my firewall policies so I reverted them. The issue persisted.

The only way I was able to get it working again was the following:

Delete SSL Certificate for the host.

Delete & Recreate the host and then request a new certificate

EDIT: Nevermind, It only worked for the first host I tried this with and then I keep getting an internal error

Another Update: During the recreation/deletion process, suddenly all the certificates which were expired renewed themselves

<!-- gh-comment-id:1384987637 --> @styxadmin commented on GitHub (Jan 17, 2023): I am having the same issue as everything above. I initially thought it may have been a change I made to my firewall policies so I reverted them. The issue persisted. The only way I was able to get it working again was the following: Delete SSL Certificate for the host. Delete & Recreate the host and then request a new certificate EDIT: Nevermind, It only worked for the first host I tried this with and then I keep getting an internal error Another Update: During the recreation/deletion process, suddenly all the certificates which were expired renewed themselves

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@lenschith commented on GitHub (Jan 19, 2023):

@jc21 is there any new information. No workaround works for me.

<!-- gh-comment-id:1397627885 --> @lenschith commented on GitHub (Jan 19, 2023): @jc21 is there any new information. No workaround works for me.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@AlanMW commented on GitHub (Jan 25, 2023):

Some friendly person on Reddit pointed me to the settings for the host, seemed to do the trick for me.

Try using the SSL request through the host setup, rather than trying to set it up before configuring a new host. Not sure why but my NPM (different setup, stand alone docker host) won’t allow me to request the cert from the SSL section, I have to use the SSL section in the new host setup in order for it to work.

https://imgur.com/a/OW1Jp2o

<!-- gh-comment-id:1404315727 --> @AlanMW commented on GitHub (Jan 25, 2023): Some friendly person on Reddit pointed me to the settings for the host, seemed to do the trick for me. > Try using the SSL request through the host setup, rather than trying to set it up before configuring a new host. Not sure why but my NPM (different setup, stand alone docker host) won’t allow me to request the cert from the SSL section, I have to use the SSL section in the new host setup in order for it to work. > > https://imgur.com/a/OW1Jp2o

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@bigbeka commented on GitHub (Jan 25, 2023):

I don't think this solves the problem.
The main point of getting SSL before setting up the host is to check if the Domain pointing at the public IP has actually propagated or not, hence the need for SSL tab, and the need for "Test" button.

If the domain is not pointing to the correct IP, and you request SSL from Let's Encrypt, you might get penalised for this and get temporary ban. 🤷‍♂️

Some friendly person on Reddit pointed me to the settings for the host, seemed to do the trick for me.

Try using the SSL request through the host setup, rather than trying to set it up before configuring a new host. Not sure why but my NPM (different setup, stand alone docker host) won’t allow me to request the cert from the SSL section, I have to use the SSL section in the new host setup in order for it to work.
https://imgur.com/a/OW1Jp2o

<!-- gh-comment-id:1404318616 --> @bigbeka commented on GitHub (Jan 25, 2023): I don't think this solves the problem. The main point of getting SSL before setting up the host is to check if the Domain pointing at the public IP has actually propagated or not, hence the need for SSL tab, and the need for "Test" button. If the domain is not pointing to the correct IP, and you request SSL from Let's Encrypt, you might get penalised for this and get temporary ban. 🤷‍♂️ > Some friendly person on Reddit pointed me to the settings for the host, seemed to do the trick for me. > > > Try using the SSL request through the host setup, rather than trying to set it up before configuring a new host. Not sure why but my NPM (different setup, stand alone docker host) won’t allow me to request the cert from the SSL section, I have to use the SSL section in the new host setup in order for it to work. > > https://imgur.com/a/OW1Jp2o

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@holgerflick commented on GitHub (Jan 30, 2023):

Crazy thing for me is that I can confirm that I see all the error messages given above, but after "some time" the expiration date of my SSL certs changed and they have been renewed even though an error was shown. Sadly, I do not see any other error messages in addition to those that have been reported here.

<!-- gh-comment-id:1408980984 --> @holgerflick commented on GitHub (Jan 30, 2023): Crazy thing for me is that I can confirm that I see all the error messages given above, but after "some time" the expiration date of my SSL certs changed and they have been renewed even though an error was shown. Sadly, I do not see any other error messages in addition to those that have been reported here.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@tuanhd8789 commented on GitHub (Feb 7, 2023):

I had this issue too, and when i create new cert, output is:
"Another instance of Certbot is already running"
My solutions:
To find the certbot process, try:
ps -ef | grep certb
The process ID would be the first number after the user, like:
root 5555 5100 …
To kill the process, try:
kill 5555
((replace 5555 with your actual certbot PID#))
Kill all certbot pid running and retry then i created success new cert.
Sources:
https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690/2

Hope to help someone!

<!-- gh-comment-id:1421224707 --> @tuanhd8789 commented on GitHub (Feb 7, 2023): I had this issue too, and when i create new cert, output is: "Another instance of Certbot is already running" My solutions: To find the certbot process, try: ps -ef | grep certb The process ID would be the first number after the user, like: root 5555 5100 … To kill the process, try: kill 5555 ((replace 5555 with your actual certbot PID#)) Kill all certbot pid running and retry then i created success new cert. Sources: https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690/2 Hope to help someone!

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@lolekuk commented on GitHub (Feb 8, 2023):

Ok, I believe Cloudflare security (double proxies and other bits) block let's encrypt creating and renewing certs. I've tried disabling bits and bobs on cloudflare with no luck. Issue for me started once I switched to Cloudflare (all was working ok on namecheap but of course namecheap doesn't provide same tools and security as cloudflare).

Switching to Cloudflare cert (free and for 15 years validity) for all my domains and subdomains (8 hosts/subdomains) took less than 5 mins.

Hope this helps you guys:

Log into cloudflare -> SSL/TLS -> Origin Server and create certificate (just one, wildcard certificate will be used for all subdomains)
using notepad
copy and paste certificate into notepad and save as e,g, certificate.crt
copy and paste key into another notepad file and save as key.crt

Log into your NPM:

go to SSL certificates -> add new -> custom
give it a name and then browse and choose cert and key files in the 2 fileds available.
save the cert - should show 15 years expiry date etc.
Go to your domains and subdomains and replace your ssl cert with cloudflare one

All works for me :)

<!-- gh-comment-id:1422399423 --> @lolekuk commented on GitHub (Feb 8, 2023): Ok, I believe Cloudflare security (double proxies and other bits) block let's encrypt creating and renewing certs. I've tried disabling bits and bobs on cloudflare with no luck. Issue for me started once I switched to Cloudflare (all was working ok on namecheap but of course namecheap doesn't provide same tools and security as cloudflare). Switching to Cloudflare cert (free and for 15 years validity) for all my domains and subdomains (8 hosts/subdomains) took less than 5 mins. Hope this helps you guys: Log into cloudflare -> SSL/TLS -> Origin Server and create certificate (just one, wildcard certificate will be used for all subdomains) using notepad copy and paste certificate into notepad and save as e,g, certificate.crt copy and paste key into another notepad file and save as key.crt Log into your NPM: go to SSL certificates -> add new -> custom give it a name and then browse and choose cert and key files in the 2 fileds available. save the cert - should show 15 years expiry date etc. Go to your domains and subdomains and replace your ssl cert with cloudflare one All works for me :)

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@rodneyt commented on GitHub (Feb 8, 2023):

Ok, this steps work for me Docker

re-deploy container
Remote in container console
Run pip install certbot-dns-cloudflare==$(certbot --version | grep -Eo '0-9+') cloudflare
if you get this error, just update pip install --upgrade --force-reinstall acme==2.2.0
(https://freeimage.host/i/HEzf6jj)

<!-- gh-comment-id:1423022060 --> @rodneyt commented on GitHub (Feb 8, 2023): Ok, this steps work for me Docker re-deploy container Remote in container console Run pip install certbot-dns-cloudflare==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') cloudflare if you get this error, just update pip install --upgrade --force-reinstall acme==2.2.0 (https://freeimage.host/i/HEzf6jj)

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@pwfraley commented on GitHub (Feb 10, 2023):

Same problem here

<!-- gh-comment-id:1425867609 --> @pwfraley commented on GitHub (Feb 10, 2023): Same problem here

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@lolekuk commented on GitHub (Feb 10, 2023):

Have you tried this?
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2011#issuecomment-1422399423

<!-- gh-comment-id:1425880716 --> @lolekuk commented on GitHub (Feb 10, 2023): > Have you tried this? https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2011#issuecomment-1422399423

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@pwfraley commented on GitHub (Feb 10, 2023):

Have you tried this? #2011 (comment)

No, I like Lets Encrypt and I do not have a CloudFlare account nor do I manage my Domains through CloudFlare. I add about a Host a Year to NPM and everytime I try to do this NPM is broken. Very anoying. NPM never got certificate renewal automatically working, every 3 Months I have to go into it and update the certificates by hand.

I guess it is time to switch to another proxy.

<!-- gh-comment-id:1425894375 --> @pwfraley commented on GitHub (Feb 10, 2023): > > > > Have you tried this? [#2011 (comment)](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2011#issuecomment-1422399423) No, I like Lets Encrypt and I do not have a CloudFlare account nor do I manage my Domains through CloudFlare. I add about a Host a Year to NPM and everytime I try to do this NPM is broken. Very anoying. NPM never got certificate renewal automatically working, every 3 Months I have to go into it and update the certificates by hand. I guess it is time to switch to another proxy.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@davix3f commented on GitHub (Feb 11, 2023):

I'm getting the "Communication with API failed, are you sure NPM is running correctly" error too, I can't request any new certificate nor renew my existing ones. I didn't change anything in my docker compose or anything, this issue just came up by itself which to me does not make sense. I also can't find any solution on this, except switching to traefik - but I just can't get it working, either, so I hope this will get fixed fast

<!-- gh-comment-id:1426901977 --> @davix3f commented on GitHub (Feb 11, 2023): I'm getting the "Communication with API failed, are you sure NPM is running correctly" error too, I can't request any new certificate nor renew my existing ones. I didn't change anything in my docker compose or anything, this issue just came up by itself which to me does not make sense. I also can't find any solution on this, except switching to traefik - but I just can't get it working, either, so I hope this will get fixed fast

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@LuisPalacios commented on GitHub (Feb 15, 2023):

Hi team, I'm experiencing exactly the same error. In my case I have NPM as an AddOn in HASS.IO, but the error is the same. Let'sencrypt reaches the box but is discarded with a connection refused. All mappings are ok, but missing a "web server" attending the request.

I've seen that the call to certbot is using --authenticator webroot; so it needs a web server listening on :80 serving the file that lets encrypt is looking for. Which is not the case !!

One solution would be to change to --standalone but I'm not sure if it's possible to configure, somehow, NPM to use --standalone instead.

Thanks
Luis

<!-- gh-comment-id:1431210239 --> @LuisPalacios commented on GitHub (Feb 15, 2023): Hi team, I'm experiencing exactly the same error. In my case I have NPM as an AddOn in HASS.IO, but the error is the same. Let'sencrypt reaches the box but is discarded with a `connection refused`. All mappings are ok, but missing a "web server" attending the request. I've seen that the call to certbot is using `--authenticator webroot`; so it needs a web server listening on :80 serving the file that lets encrypt is looking for. Which is not the case !! One solution would be to change to `--standalone` but I'm not sure if it's possible to configure, somehow, NPM to use `--standalone` instead. Thanks Luis

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@wickedyoda commented on GitHub (Feb 21, 2023):

It seems like this topic/issue has not been resolved, as I came here with the same problem. The author needs to check and see about duplicating and resolving the issue.

<!-- gh-comment-id:1437880307 --> @wickedyoda commented on GitHub (Feb 21, 2023): It seems like this topic/issue has not been resolved, as I came here with the same problem. The author needs to check and see about duplicating and resolving the issue.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@timnolte commented on GitHub (Feb 24, 2023):

I just got 2 notices from Let's Encrypt about certificates expiring soon. I checked NPM to also find I'm getting the "Communication with the API failed, is NPM running correctly?" error when using the "Test Server Reachability" option, and I'm concerned about auto renewal not working. In the past with a different setup I never got cert expiration notices from Let's Encrypt.

<!-- gh-comment-id:1442845328 --> @timnolte commented on GitHub (Feb 24, 2023): I just got 2 notices from Let's Encrypt about certificates expiring soon. I checked NPM to also find I'm getting the "Communication with the API failed, is NPM running correctly?" error when using the "Test Server Reachability" option, and I'm concerned about auto renewal not working. In the past with a different setup I never got cert expiration notices from Let's Encrypt.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@timnolte commented on GitHub (Feb 24, 2023):

So looking at my logs and I am getting the same error about certbot already running.

<!-- gh-comment-id:1442852383 --> @timnolte commented on GitHub (Feb 24, 2023): So looking at my logs and I am getting the same error about certbot already running.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@timnolte commented on GitHub (Feb 25, 2023):

So I used the guidance in this comment to remove the lock files and this seemed to resolve the certbot is already running issue. I'm still faced with renewal failures. My logs are like this:

[2/25/2023] [4:12:28 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-5 with error: Some challenges have failed.
The following renewals failed:
  /etc/letsencrypt/live/npm-5/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
[2/25/2023] [4:14:43 AM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #5: ***.***.***
[2/25/2023] [4:14:43 AM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-5" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[2/25/2023] [4:15:07 AM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-5" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to renew certificate npm-5 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-5/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0

<!-- gh-comment-id:1444988115 --> @timnolte commented on GitHub (Feb 25, 2023): So I used the guidance in [this comment](https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690/3) to remove the lock files and this seemed to resolve the certbot is already running issue. I'm still faced with renewal failures. My logs are like this: ``` [2/25/2023] [4:12:28 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-5 with error: Some challenges have failed. The following renewals failed: /etc/letsencrypt/live/npm-5/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [2/25/2023] [4:14:43 AM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #5: ***.***.*** [2/25/2023] [4:14:43 AM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-5" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation [2/25/2023] [4:15:07 AM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-5" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Failed to renew certificate npm-5 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-5/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0 ```

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@GamerClassN7 commented on GitHub (Feb 26, 2023):

So I used the guidance in this comment to remove the lock files and this seemed to resolve the certbot is already running issue. I'm still faced with renewal failures. My logs are like this:

[2/25/2023] [4:12:28 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-5 with error: Some challenges have failed.
The following renewals failed:
  /etc/letsencrypt/live/npm-5/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
[2/25/2023] [4:14:43 AM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #5: ***.***.***
[2/25/2023] [4:14:43 AM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-5" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[2/25/2023] [4:15:07 AM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-5" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to renew certificate npm-5 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-5/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0

Hi did you manage to resolve this problem i am in same state as yu just with slighter difrent error :(

<!-- gh-comment-id:1445497820 --> @GamerClassN7 commented on GitHub (Feb 26, 2023): > So I used the guidance in [this comment](https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690/3) to remove the lock files and this seemed to resolve the certbot is already running issue. I'm still faced with renewal failures. My logs are like this: > > ``` > [2/25/2023] [4:12:28 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation > Failed to renew certificate npm-5 with error: Some challenges have failed. > The following renewals failed: > /etc/letsencrypt/live/npm-5/fullchain.pem (failure) > 1 renew failure(s), 0 parse failure(s) > at ChildProcess.exithandler (node:child_process:402:12) > at ChildProcess.emit (node:events:513:28) > at maybeClose (node:internal/child_process:1100:16) > at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) > [2/25/2023] [4:14:43 AM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #5: ***.***.*** > [2/25/2023] [4:14:43 AM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-5" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation > [2/25/2023] [4:15:07 AM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-5" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation > Saving debug log to /var/log/letsencrypt/letsencrypt.log > Failed to renew certificate npm-5 with error: Some challenges have failed. > All renewals failed. The following certificates could not be renewed: > /etc/letsencrypt/live/npm-5/fullchain.pem (failure) > 1 renew failure(s), 0 parse failure(s) > Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. > Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0 > ``` Hi did you manage to resolve this problem i am in same state as yu just with slighter difrent error :(  

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Mar 16, 2023):

Just updated to 2.9.20 after seeing @jc21 did a push to Docker Hub. Unfortunately no change in the SSL certificate renewal bug...

0:28:54
[3/16/2023] [12:28:54 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
0:28:54
Failed to renew certificate npm-4 with error: Some challenges have failed.
0:28:54
Failed to renew certificate npm-6 with error: Some challenges have failed.
0:28:54
All renewals failed. The following certificates could not be renewed:
0:28:54
  /etc/letsencrypt/live/npm-4/fullchain.pem (failure)
0:28:54
  /etc/letsencrypt/live/npm-6/fullchain.pem (failure)
0:28:54
2 renew failure(s), 0 parse failure(s)
0:28:54
0:28:54
    at ChildProcess.exithandler (node:child_process:402:12)
0:28:54
    at ChildProcess.emit (node:events:513:28)
0:28:54
    at maybeClose (node:internal/child_process:1100:16)
0:28:54
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
0:47:38
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
0:47:38
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
0:47:38
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
0:47:38
Model#$omit is deprected and will be removed in 3.0.

<!-- gh-comment-id:1471106407 --> @EDIflyer commented on GitHub (Mar 16, 2023): Just updated to 2.9.20 after seeing @jc21 did a push to Docker Hub. Unfortunately no change in the SSL certificate renewal bug... ``` 0:28:54 [3/16/2023] [12:28:54 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation 0:28:54 Failed to renew certificate npm-4 with error: Some challenges have failed. 0:28:54 Failed to renew certificate npm-6 with error: Some challenges have failed. 0:28:54 All renewals failed. The following certificates could not be renewed: 0:28:54 /etc/letsencrypt/live/npm-4/fullchain.pem (failure) 0:28:54 /etc/letsencrypt/live/npm-6/fullchain.pem (failure) 0:28:54 2 renew failure(s), 0 parse failure(s) 0:28:54 0:28:54 at ChildProcess.exithandler (node:child_process:402:12) 0:28:54 at ChildProcess.emit (node:events:513:28) 0:28:54 at maybeClose (node:internal/child_process:1100:16) 0:28:54 at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) 0:47:38 `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0 0:47:38 `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0 0:47:38 QueryBuilder#omit is deprecated. This method will be removed in version 3.0 0:47:38 Model#$omit is deprected and will be removed in 3.0. ```

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@punkyard commented on GitHub (Apr 7, 2023):

Have you tried this?
#2011 (comment)

hi
yes, i've tried this. It didn't work before, but this time it worked ..
still, I don't have an explanation for the let's encrypt error in npm .. 🤔
but thanks!!

<!-- gh-comment-id:1500698613 --> @punkyard commented on GitHub (Apr 7, 2023): > Have you tried this? > [#2011 (comment)](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2011#issuecomment-1422399423) hi yes, i've tried this. It didn't work before, but this time it worked .. still, I don't have an explanation for the let's encrypt error in npm .. 🤔 but thanks!!

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@gitrummy commented on GitHub (Apr 8, 2023):

I use NPM on Home Assistant Core all running on a Windows PC. For me disabling the Windows firewall and also pausing ESET allowed to me renew all certs one by one from the SSL certificates list.

<!-- gh-comment-id:1500986811 --> @gitrummy commented on GitHub (Apr 8, 2023): I use NPM on Home Assistant Core all running on a Windows PC. For me disabling the Windows firewall and also pausing ESET allowed to me renew all certs one by one from the SSL certificates list.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@vuanhson commented on GitHub (Apr 24, 2023):

My NPM can issue LE certificate normally (domain hosted in CF) but the GUI showing error when doing reachability test. May be a visual bug

<!-- gh-comment-id:1519444443 --> @vuanhson commented on GitHub (Apr 24, 2023): My NPM can issue LE certificate normally (domain hosted in CF) but the GUI showing error when doing reachability test. May be a visual bug <img width="522" alt="Screenshot 2023-04-24 at 15 10 06" src="https://user-images.githubusercontent.com/6960172/233913280-2c46e50d-0c92-45ef-bca2-640fa6c70cb8.png">

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@tomvanswam commented on GitHub (Apr 27, 2023):

Same issue happened to me. When testing a message that NPM might not be configured correctly and on an actual try to get a certificate an internal error.

I found out that in the let's encrypt logs, there were two ip addresses found to match the domain I wanted to get a certificate for. One ipv4 (A record) and one ipv6 (AAAA record).
Certbot used the ipv6 one to perform the http-01 challenge on. However that one was still pointing to some default domain registrar ip.
After changing the ipv6 AAAA record to point to my server, all worked as expected.

I did set the environment var to disable ipv6, however apparently the certbot script does not disable ipv6 for the challenge, which one might expect.

So even when disabling ipv6 one should set the AAAA record to your server (and forward it to NPM) or removing the AAAA record completely to make it possible for certbot to create certificates.

<!-- gh-comment-id:1525898940 --> @tomvanswam commented on GitHub (Apr 27, 2023): Same issue happened to me. When testing a message that NPM might not be configured correctly and on an actual try to get a certificate an internal error. I found out that in the let's encrypt logs, there were two ip addresses found to match the domain I wanted to get a certificate for. One ipv4 (A record) and one ipv6 (AAAA record). Certbot used the ipv6 one to perform the http-01 challenge on. However that one was still pointing to some default domain registrar ip. After changing the ipv6 AAAA record to point to my server, all worked as expected. I did set the environment var to disable ipv6, however apparently the certbot script does not disable ipv6 for the challenge, which one might expect. So even when disabling ipv6 one should set the AAAA record to your server (and forward it to NPM) or removing the AAAA record completely to make it possible for certbot to create certificates.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Apr 27, 2023):

That gave me hope for a minute, @tomvanswam - unfortunately when I double-checked the AAAA record correctly points to the same server as the A one in my case 😞

<!-- gh-comment-id:1525903669 --> @EDIflyer commented on GitHub (Apr 27, 2023): That gave me hope for a minute, @tomvanswam - unfortunately when I double-checked the AAAA record correctly points to the same server as the A one in my case 😞

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@tomvanswam commented on GitHub (Apr 27, 2023):

That gave me hope for a minute, @tomvanswam - unfortunately when I double-checked the AAAA record correctly points to the same server as the A one in my case 😞

Make sure (when hosting at home) your router is also forwarding ipv6 traffic to your server. This isn't done by default when forwarding ipv4 traffic.

Check your firewalls that rules are also in place to allow ipv6 traffic to your server.

Request a certificate even though the test fails and check the letsencrypt.log file somewhere in the /tmp folder (I'm on mobile so can't check what folder precisely) in the container and try to find the reason why it's not working. This helped me finding out what I did.

<!-- gh-comment-id:1525913105 --> @tomvanswam commented on GitHub (Apr 27, 2023): > That gave me hope for a minute, @tomvanswam - unfortunately when I double-checked the AAAA record correctly points to the same server as the A one in my case 😞 Make sure (when hosting at home) your router is also forwarding ipv6 traffic to your server. This isn't done by default when forwarding ipv4 traffic. Check your firewalls that rules are also in place to allow ipv6 traffic to your server. Request a certificate even though the test fails and check the letsencrypt.log file somewhere in the /tmp folder (I'm on mobile so can't check what folder precisely) in the container and try to find the reason why it's not working. This helped me finding out what I did.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Apr 27, 2023):

Thanks @tomvanswam - I'm on a VPS so no issues re firewalls, etc. If I delete and recreate them fresh it tends to work, it's the auto-renewal that isn't working. I'll look at the logs again later but have posted in a few other ones re this issue, really hoping there'll be a fix soon.

<!-- gh-comment-id:1525918375 --> @EDIflyer commented on GitHub (Apr 27, 2023): Thanks @tomvanswam - I'm on a VPS so no issues re firewalls, etc. If I delete and recreate them fresh it tends to work, it's the auto-renewal that isn't working. I'll look at the logs again later but have posted in a few other ones re this issue, really hoping there'll be a fix soon.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@tomvanswam commented on GitHub (Apr 27, 2023):

I did do a first regustration indeed, not a renewal, maybe my luck runs out in 60 days 🙄

<!-- gh-comment-id:1525920816 --> @tomvanswam commented on GitHub (Apr 27, 2023): I did do a first regustration indeed, not a renewal, maybe my luck runs out in 60 days 🙄

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@KoenVanduffel commented on GitHub (May 1, 2023):

I can confirm: I can generate new certificates but cannot renew certificates.
Removing certificates leaves the cert files in place and when running certbot renew in the console it still finds them and tries to renew them.
certbot renew --cert-name npm-42 --force-renewal gives the following error:
Renewal configuration file /etc/letsencrypt/renewal/npm-42.conf is broken. The error was: expected /etc/letsencrypt/live/npm-42/cert.pem to be a symlink Skipping.

What works is to remove the certificate manually in the SSL Certificates tab and generating a new one.

Force renewing the certs I created just now does seem to work.

<!-- gh-comment-id:1530201804 --> @KoenVanduffel commented on GitHub (May 1, 2023): I can confirm: I can generate new certificates but cannot renew certificates. Removing certificates leaves the cert files in place and when running certbot renew in the console it still finds them and tries to renew them. `certbot renew --cert-name npm-42 --force-renewal` gives the following error: `Renewal configuration file /etc/letsencrypt/renewal/npm-42.conf is broken. The error was: expected /etc/letsencrypt/live/npm-42/cert.pem to be a symlink Skipping.` What works is to remove the certificate manually in the SSL Certificates tab and generating a new one. Force renewing the certs I created just now does seem to work.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (May 1, 2023):

Thanks for confirming, @KoenVanduffel - interesting finding re cert files being left in place after removal from the UI, that was my suspicion too. Quite a hassle to do if lots of subdomains!

<!-- gh-comment-id:1530217607 --> @EDIflyer commented on GitHub (May 1, 2023): Thanks for confirming, @KoenVanduffel - interesting finding re cert files being left in place after removal from the UI, that was my suspicion too. Quite a hassle to do if lots of subdomains!

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@prom00 commented on GitHub (May 4, 2023):

I deleted the SSL certificate, yet I can't request a complete new ssl certificate..

It's now even getting more weird. I just tried a refresh on my other domain, this wasn't working at first.
Now it has refreshed it. I now requested a new ssl for the 2nd (sub) domain, it's not working again.

<!-- gh-comment-id:1534612968 --> @prom00 commented on GitHub (May 4, 2023): I deleted the SSL certificate, yet I can't request a complete new ssl certificate.. It's now even getting more weird. I just tried a refresh on my other domain, this wasn't working at first. Now it has refreshed it. I now requested a new ssl for the 2nd (sub) domain, it's not working again.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (May 4, 2023):

I deleted the SSL certificate, yet I can't request a complete new ssl certificate..

It's now even getting more weird. I just tried a refresh on my other domain, this wasn't working at first. Now it has refreshed it. I now requested a new ssl for the 2nd (sub) domain, it's not working again.

it might be worth trying the steps I put in #2881 and see if they work for you at all for renewing. For the removals did you do it via UI or command line? As @KoenVanduffel mentions the UI version doesn't seem to properly remove. In that situation I copied a known 'good' certificate from another site on that domain then refreshed it using the steps mentioned in that linked issue.

<!-- gh-comment-id:1534621131 --> @EDIflyer commented on GitHub (May 4, 2023): > I deleted the SSL certificate, yet I can't request a complete new ssl certificate.. > > It's now even getting more weird. I just tried a refresh on my other domain, this wasn't working at first. Now it has refreshed it. I now requested a new ssl for the 2nd (sub) domain, it's not working again. it might be worth trying the steps I put in #2881 and see if they work for you at all for renewing. For the removals did you do it via UI or command line? As @KoenVanduffel mentions the UI version doesn't seem to properly remove. In that situation I copied a known 'good' certificate from another site on that domain then refreshed it using the steps mentioned in that linked issue.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@prom00 commented on GitHub (May 4, 2023):

I've done this now:
Part 2 - turn off Force SSL and then renew

Then it created a new ssl certificate... I'm using this through a HA plugin, not sure on how I would need to do the shell commands, but for now it seemed to be ok again for a couple months.

<!-- gh-comment-id:1534635735 --> @prom00 commented on GitHub (May 4, 2023): I've done this now: Part 2 - turn off Force SSL and then renew Then it created a new ssl certificate... I'm using this through a HA plugin, not sure on how I would need to do the shell commands, but for now it seemed to be ok again for a couple months.

kerem commented 2026-02-26 07:31:06 +03:00

Author

Owner

Copy link

@balones6531 commented on GitHub (May 8, 2023):

Turning 'Force SSL' off was the quick fix for me.

<!-- gh-comment-id:1537657584 --> @balones6531 commented on GitHub (May 8, 2023): > Turning 'Force SSL' off was the quick fix for me.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@Wdrussell1 commented on GitHub (May 22, 2023):

Been almost a year and nothing on this issue. To be such a popular application that does see updates, it would be nice to see this fixed.

<!-- gh-comment-id:1556640089 --> @Wdrussell1 commented on GitHub (May 22, 2023): Been almost a year and nothing on this issue. To be such a popular application that does see updates, it would be nice to see this fixed.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@wickedyoda commented on GitHub (May 22, 2023):

Theres many forks to this repo, I would recommend tracking one of them and seeing if someone has picked up maintaining the app.

<!-- gh-comment-id:1557560020 --> @wickedyoda commented on GitHub (May 22, 2023): Theres many forks to this repo, I would recommend tracking one of them and seeing if someone has picked up maintaining the app.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@davix3f commented on GitHub (May 23, 2023):

Theres many forks to this repo, I would recommend tracking one of them and seeing if someone has picked up maintaining the app.

Any you would recommend? Because honestly I don't know what to look for when choosing a forked repo

<!-- gh-comment-id:1558947025 --> @davix3f commented on GitHub (May 23, 2023): > Theres many forks to this repo, I would recommend tracking one of them and seeing if someone has picked up maintaining the app. Any you would recommend? Because honestly I don't know what to look for when choosing a forked repo

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@awad0 commented on GitHub (Jul 19, 2023):

Turning 'Force SSL' off was the quick fix for me.

Fixed it for me, too. Could it be that the wrong (http) challenge is being checked to start a DNS challenge?

<!-- gh-comment-id:1642393809 --> @awad0 commented on GitHub (Jul 19, 2023): > Turning 'Force SSL' off was the quick fix for me. Fixed it for me, too. Could it be that the wrong (http) challenge is being checked to start a DNS challenge?

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@wickedyoda commented on GitHub (Aug 3, 2023):

Theres many forks to this repo, I would recommend tracking one of them and seeing if someone has picked up maintaining the app.

Any you would recommend? Because honestly I don't know what to look for when choosing a forked repo

Look at the commits and commit dates; the ones that are more current will have more current commits where changes and updates have been applied. I have run into several errors with this repo but still maintains to be one of the best. It's sad that they have not continued to update it.

<!-- gh-comment-id:1664095866 --> @wickedyoda commented on GitHub (Aug 3, 2023): > > Theres many forks to this repo, I would recommend tracking one of them and seeing if someone has picked up maintaining the app. > > Any you would recommend? Because honestly I don't know what to look for when choosing a forked repo Look at the commits and commit dates; the ones that are more current will have more current commits where changes and updates have been applied. I have run into several errors with this repo but still maintains to be one of the best. It's sad that they have not continued to update it.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@wickedyoda commented on GitHub (Aug 3, 2023):

Turning 'Force SSL' off was the quick fix for me.

Fixed it for me, too. Could it be that the wrong (http) challenge is being checked to start a DNS challenge?

I have found when SSL renewal fails or a challenge fails, restart the container and try again. Been the simplest workaround for me so far.

<!-- gh-comment-id:1664099483 --> @wickedyoda commented on GitHub (Aug 3, 2023): > > Turning 'Force SSL' off was the quick fix for me. > > Fixed it for me, too. Could it be that the wrong (http) challenge is being checked to start a DNS challenge? I have found when SSL renewal fails or a challenge fails, restart the container and try again. Been the simplest workaround for me so far.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@gabbas1 commented on GitHub (Aug 4, 2023):

"Same"

My setup:
OpenSuse 15.4
Docker 23.0.6
jc21/nginx-proxy-manager 2.10.4 / 2.10.3

When I try to refresh the certificate:

Meanwhile the logs of nginx:

[8/4/2023] [7:30:07 AM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #1: dummy.domain.name.org
[8/4/2023] [7:30:07 AM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[8/4/2023] [7:30:23 AM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Failed to renew certificate npm-1 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

When I try the "Test the server reachability":

[8/4/2023] [7:31:34 AM] [SSL      ] › ℹ  info      Testing http challenge for dummy.domain.name.org
Uncaught SyntaxError: Unexpected end of JSON input

FROM
bash: line 1:   325 Trace/breakpoint trap   (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js

With Version 2.10.3 on "refresh" and on "Test the server reachability" the error was:

Otherwise no changes.

<!-- gh-comment-id:1665154450 --> @gabbas1 commented on GitHub (Aug 4, 2023): _"Same"_ **My setup:** OpenSuse 15.4 Docker 23.0.6 jc21/nginx-proxy-manager 2.10.4 / 2.10.3 **When I try to refresh the certificate:**  Meanwhile the logs of nginx: ``` [8/4/2023] [7:30:07 AM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #1: dummy.domain.name.org [8/4/2023] [7:30:07 AM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation [8/4/2023] [7:30:23 AM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Failed to renew certificate npm-1 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. ``` **When I try the "Test the server reachability":**  ``` [8/4/2023] [7:31:34 AM] [SSL ] › ℹ info Testing http challenge for dummy.domain.name.org Uncaught SyntaxError: Unexpected end of JSON input FROM bash: line 1: 325 Trace/breakpoint trap (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js ``` With Version 2.10.3 on "refresh" and on "Test the server reachability" the error was:  Otherwise no changes.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@awad0 commented on GitHub (Aug 8, 2023):

Fixed it for me, too. Could it be that the wrong (http) challenge is being checked to start a DNS challenge?

I have found when SSL renewal fails or a challenge fails, restart the container and try again. Been the simplest workaround for me so far.

Unfortunately not. I tried this before. I'm in a LXD container, where I can ssh into. It's not a port or connection issue. Manual "dry run" also worked.

<!-- gh-comment-id:1669403664 --> @awad0 commented on GitHub (Aug 8, 2023): > > Fixed it for me, too. Could it be that the wrong (http) challenge is being checked to start a DNS challenge? > > I have found when SSL renewal fails or a challenge fails, restart the container and try again. Been the simplest workaround for me so far. Unfortunately not. I tried this before. I'm in a LXD container, where I can ssh into. It's not a port or connection issue. Manual "dry run" also worked.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@etymotic commented on GitHub (Sep 4, 2023):

If anyone wants to give this a try:

My setup is NPM docker running on the same virtual machine as all of my other docker stuff. I use AdGueard Home, with a DNS rewrite of *.mydomain.com - > Local IP of NPM. I figured there was probably some sort of problem of NPM trying to reach stuff but just getting redirected and never leaving my LAN...

So I set up wireguard in the virtual machine that runs all of my docker stuff. I have a subscription to AirVPN and used their config generator. With the VPN connected, I'm able to add/renew certificates.

My guess is that the VPN forces traffic to leave my LAN, which helps things renew properly. Either that, or it just randomly started working while I was messing around with it.

<!-- gh-comment-id:1704473542 --> @etymotic commented on GitHub (Sep 4, 2023): If anyone wants to give this a try: My setup is NPM docker running on the same virtual machine as all of my other docker stuff. I use AdGueard Home, with a DNS rewrite of *.mydomain.com - > Local IP of NPM. I figured there was probably some sort of problem of NPM trying to reach stuff but just getting redirected and never leaving my LAN... So I set up wireguard in the virtual machine that runs all of my docker stuff. I have a subscription to AirVPN and used their config generator. With the VPN connected, I'm able to add/renew certificates. My guess is that the VPN forces traffic to leave my LAN, which helps things renew properly. Either that, or it just randomly started working while I was messing around with it.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@prom00 commented on GitHub (Sep 4, 2023):

My guess is that the VPN forces traffic to leave my LAN, which helps things renew properly. Either that, or it just randomly started working while I was messing around with it.

I've had this before too, where it suddenly started to work again...

<!-- gh-comment-id:1704658103 --> @prom00 commented on GitHub (Sep 4, 2023): > My guess is that the VPN forces traffic to leave my LAN, which helps things renew properly. **Either that, or it just randomly started working while I was messing around with it.** I've had this before too, where it suddenly started to work again...

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@BartAgterbosch commented on GitHub (Sep 4, 2023):

I would like to weigh in here and suggest making sure that "Block common exploits" is disabled in the proxyhost settings for the particular domain you're trying to renew (re-enable it afterwards), also wait a while before doing it if you've been spamming the renew button before trying that, it might be rate limited

<!-- gh-comment-id:1705639770 --> @BartAgterbosch commented on GitHub (Sep 4, 2023): I would like to weigh in here and suggest making sure that "Block common exploits" is disabled in the proxyhost settings for the particular domain you're trying to renew (re-enable it afterwards), also wait a while before doing it if you've been spamming the renew button before trying that, it might be rate limited

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Sep 4, 2023):

Just to flag this PR I submitted seems to do the trick - https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121 - I've done renewals on a few servers since and they seem to go through OK. You can test it via the auto-built Docker image in the PR.

<!-- gh-comment-id:1705711694 --> @EDIflyer commented on GitHub (Sep 4, 2023): Just to flag this PR I submitted seems to do the trick - https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121 - I've done renewals on a few servers since and they seem to go through OK. You can test it via the auto-built Docker image in the PR.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@Tschakko1993 commented on GitHub (Sep 27, 2023):

I had exactly the same problem as described above.
I checked my router settings and it seems that port 80/443 was not forwarded.
I opened the ports and it fixed that issue

<!-- gh-comment-id:1738042273 --> @Tschakko1993 commented on GitHub (Sep 27, 2023): I had exactly the same problem as described above. I checked my router settings and it seems that port 80/443 was not forwarded. I opened the ports and it fixed that issue

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@vladtvoeit commented on GitHub (Oct 28, 2023):

I am using ubuntunu+portainer+npm+uptime kuma. I want to get a certificate for uptime kuma. When I click: "Test Server Reachability" I get an error: "Communication with the API failed, is NPM running correctly?". Any help?

80 and 443 ports are available

<!-- gh-comment-id:1783741187 --> @vladtvoeit commented on GitHub (Oct 28, 2023): I am using ubuntunu+portainer+npm+uptime kuma. I want to get a certificate for uptime kuma. When I click: "Test Server Reachability" I get an error: "Communication with the API failed, is NPM running correctly?". Any help? 80 and 443 ports are available

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Oct 29, 2023):

@baxenko where are you clicking 'Test Server Reachability'? I've got the Portainer/NPM/Uptime Kuma setup too and all are working fine (using my PR above for NPM to ensure SSL certs issued/renewed OK)

<!-- gh-comment-id:1784123489 --> @EDIflyer commented on GitHub (Oct 29, 2023): @baxenko where are you clicking 'Test Server Reachability'? I've got the Portainer/NPM/Uptime Kuma setup too and all are working fine (using my PR above for NPM to ensure SSL certs issued/renewed OK)

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@etymotic commented on GitHub (Oct 30, 2023):

@baxenko I'm pretty certain, at least for me, that it's network related. Probably NAT Loopback. I think NPM sends out a DNS request for your domain, gets pointed at your home network, and your router never lets anything leave. The solution for me was connecting the machine that runs NPM to a VPN. That forced stuff to leave my home network so the certificate stuff could succeed.

<!-- gh-comment-id:1784368618 --> @etymotic commented on GitHub (Oct 30, 2023): @baxenko I'm pretty certain, at least for me, that it's network related. Probably NAT Loopback. I think NPM sends out a DNS request for your domain, gets pointed at your home network, and your router never lets anything leave. The solution for me was connecting the machine that runs NPM to a VPN. That forced stuff to leave my home network so the certificate stuff could succeed.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@irhiggs commented on GitHub (Nov 3, 2023):

I found this that seems to help a lot: https://www.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/

Looks like we need a different certbot version packaged into this docker container

<!-- gh-comment-id:1792390480 --> @irhiggs commented on GitHub (Nov 3, 2023): I found this that seems to help a lot: https://www.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/ Looks like we need a different certbot version packaged into this docker container

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@misaka00251 commented on GitHub (Nov 11, 2023):

https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/
Yeah this work.

<!-- gh-comment-id:1806712708 --> @misaka00251 commented on GitHub (Nov 11, 2023): https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@vladtvoeit commented on GitHub (Nov 11, 2023):

I am using ubuntunu+portainer+npm+uptime kuma. I want to get a certificate for uptime kuma. When I click: "Test Server Reachability" I get an error: "Communication with the API failed, is NPM running correctly?". Any help?

80 and 443 ports are available

@EDIflyer , @etymotic
My problem was due to an installed Portainer that would not allow npm to "see" uptime kuma. My friend wrote instructions on how to properly install it and configure Portainer to detect the container. I got everything working. Thanks to all of you for your help.

✅ Instructions: https://gist.github.com/Vladkarok/12ed9c11282d1659ecf369028c3202e6

<!-- gh-comment-id:1806733859 --> @vladtvoeit commented on GitHub (Nov 11, 2023): > I am using ubuntunu+portainer+npm+uptime kuma. I want to get a certificate for uptime kuma. When I click: "Test Server Reachability" I get an error: "Communication with the API failed, is NPM running correctly?". Any help? > > 80 and 443 ports are available @EDIflyer , @etymotic My problem was due to an installed Portainer that would not allow npm to "see" uptime kuma. My friend wrote instructions on how to properly install it and configure Portainer to detect the container. I got everything working. Thanks to all of you for your help. ✅ **Instructions:** https://gist.github.com/Vladkarok/12ed9c11282d1659ecf369028c3202e6

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@yasarza commented on GitHub (Nov 12, 2023):

Hello everyone

I had the same issue, and it turns out it has something to do with my firewall setting.
I have a pfsense firewall, and when I checked my settings, I found that I allowed only TCP/UDP connection to the web, which I think wasn't enough for nginx to verify the API token.

<!-- gh-comment-id:1807214463 --> @yasarza commented on GitHub (Nov 12, 2023): Hello everyone I had the same issue, and it turns out it has something to do with my firewall setting. I have a pfsense firewall, and when I checked my settings, I found that I allowed only TCP/UDP connection to the web, which I think wasn't enough for nginx to verify the API token.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@liveinaus commented on GitHub (Nov 17, 2023):

https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work.

Thanks, it has fixed my issue. Thanks for sharing the fix.

The following commands ran in the container fixed the issue.
cd /opt/certbot
/opt/certbot/bin/pip install certbot==2.6.0
/opt/certbot/bin/pip install -U certbot-dns-godaddy
. /opt/certbot/bin/activate && pip install --upgrade pyopenssl

<!-- gh-comment-id:1816118600 --> @liveinaus commented on GitHub (Nov 17, 2023): > https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work. Thanks, it has fixed my issue. Thanks for sharing the fix. The following commands ran in the container fixed the issue. `cd /opt/certbot` `/opt/certbot/bin/pip install certbot==2.6.0` `/opt/certbot/bin/pip install -U certbot-dns-godaddy` `. /opt/certbot/bin/activate && pip install --upgrade pyopenssl`

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@RobustMarker commented on GitHub (Nov 23, 2023):

I had the same issue, and it turns out it has something to do with my firewall setting. I have a pfsense firewall, and when I checked my settings, I found that I allowed only TCP/UDP connection to the web, which I think wasn't enough for nginx to verify the API token.

What did you change? you allowed a different port or something?

<!-- gh-comment-id:1824437286 --> @RobustMarker commented on GitHub (Nov 23, 2023): > I had the same issue, and it turns out it has something to do with my firewall setting. I have a pfsense firewall, and when I checked my settings, I found that I allowed only TCP/UDP connection to the web, which I think wasn't enough for nginx to verify the API token. What did you change? you allowed a different port or something?

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@julianjuan77 commented on GitHub (Dec 9, 2023):

In my case, creating a new certificate did not work for me. The problem was not having created the subdomain in cloudflare and pointing it to my server. Once the subdomain was created in cloud fare I was able to create my new certificate without problems.

En mi caso no me funcionaba crear un nuevo certificado. El problema era no haber creado el subdominio en cloudflare y apuntarlo a mi servidor. Una vez creado el subdominio en cloudflare pude crear mi nuevo certificado sin problemas.

<!-- gh-comment-id:1848612100 --> @julianjuan77 commented on GitHub (Dec 9, 2023): In my case, creating a new certificate did not work for me. The problem was not having created the subdomain in cloudflare and pointing it to my server. Once the subdomain was created in cloud fare I was able to create my new certificate without problems. En mi caso no me funcionaba crear un nuevo certificado. El problema era no haber creado el subdominio en cloudflare y apuntarlo a mi servidor. Una vez creado el subdominio en cloudflare pude crear mi nuevo certificado sin problemas.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@JtMotoX commented on GitHub (Dec 10, 2023):

The only way I was able to get SSL is to Add host and request the SSL through the Host setup process.

Thank you so much @bigbeka ! Your comment worked for me. 👍

<!-- gh-comment-id:1848856067 --> @JtMotoX commented on GitHub (Dec 10, 2023): > The only way I was able to get SSL is to Add host and request the SSL through the Host setup process. Thank you so much @bigbeka ! Your [comment](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2011#issuecomment-1344077396) worked for me. 👍

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@AlaskaJedi commented on GitHub (Dec 17, 2023):

Okay, after a few hours of frustration, re-installs, and changing router configs, I kept getting the internal error or the communication with the API NPM running correctly?

I have another subdomain outside of NPM with its own certificate, so I decided to do a force renewal and it worked right away. I was about to add a wildcard to that certificate and import it to NPM, but I decided to try it one more time. I created a new certificate from scratch with a fresh API key from Cloudflare.

That's when I noticed something. When using the DNS Challenge option, the credentials file content had the example below:
(not my actual token btw)

Cloudflare API token
dns_cloudflare_api_token = 0123456789ABCDEF0123456789ABCDEF01234567

I replaced the token with my Cloudflare token, and it failed. I then tried it again, this time using single quotes around my token, like this:
dns_cloudflare_api_token = '0123456789ABCDEF0123456789ABCDEF01234567'

IT WORKED! I checked the credentials file to verify, and it had:

dns_cloudflare_api_token = \0123456789ABCDEF0123456789ABCDEF01234567\

The weird thing was that my credentials file for my previous certificates that I could not renew did not have any quotes or slashes around the token, but they had worked up until now. Anyway, I thought I would share if anyone else was having the same problem.

<!-- gh-comment-id:1859286815 --> @AlaskaJedi commented on GitHub (Dec 17, 2023): Okay, after a few hours of frustration, re-installs, and changing router configs, I kept getting the internal error or the communication with the API NPM running correctly? I have another subdomain outside of NPM with its own certificate, so I decided to do a force renewal and it worked right away. I was about to add a wildcard to that certificate and import it to NPM, but I decided to try it one more time. I created a new certificate from scratch with a fresh API key from Cloudflare. That's when I noticed something. When using the DNS Challenge option, the credentials file content had the example below: (not my actual token btw) Cloudflare API token dns_cloudflare_api_token = 0123456789ABCDEF0123456789ABCDEF01234567 I replaced the token with my Cloudflare token, and it failed. I then tried it again, this time using single quotes around my token, like this: dns_cloudflare_api_token = '0123456789ABCDEF0123456789ABCDEF01234567' IT WORKED! I checked the credentials file to verify, and it had: dns_cloudflare_api_token = \0123456789ABCDEF0123456789ABCDEF01234567\ The weird thing was that my credentials file for my previous certificates that I could not renew did not have any quotes or slashes around the token, but they had worked up until now. Anyway, I thought I would share if anyone else was having the same problem.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@yesid-bocanegra commented on GitHub (Dec 19, 2023):

I had this issue after doing a backup of my folder data and letsencrypt. the problem was that I was not aware of the symlinks on the live folder, so after copying back my backup folders I was not able renew the certificates. to fix this problem I had to update the symlinks for every certificate.

I decided to create a script to fix it, this script can be executed inside the docker container (haven't tested it from the host), it will search for the most recent certificate in the archive folder and create a symlink in the live folder pointing to it.

afterwards you should be able to execute certbot renew

https://gist.github.com/yesid-bocanegra/dfa0cbf0f99a6834340613f43b6610e0

<!-- gh-comment-id:1863530213 --> @yesid-bocanegra commented on GitHub (Dec 19, 2023): I had this issue after doing a backup of my folder `data` and `letsencrypt`. the problem was that I was not aware of the symlinks on the live folder, so after copying back my backup folders I was not able renew the certificates. to fix this problem I had to update the symlinks for every certificate. I decided to create a script to fix it, this script can be executed inside the docker container (haven't tested it from the host), it will search for the most recent certificate in the `archive` folder and create a symlink in the `live` folder pointing to it. afterwards you should be able to execute `certbot renew` https://gist.github.com/yesid-bocanegra/dfa0cbf0f99a6834340613f43b6610e0

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@nsaccente commented on GitHub (Dec 30, 2023):

First time caller, long time listener.

I noticed that the jc21/nginx-full has been deprecated in favor of using nginxproxymanager/nginx-full, although, I'm not sure when it was marked deprecated. Even more damning is the fact that the develop and master branches of this repo's README's both use example docker-compose files that still use the jc21/nginx-proxy-manager:latest image.

Strangely enough, it looks like @jc21's account pushed a new image just 12 hours ago, despite this repo not having seen a commit since last month. Even stranger, is that the new image, nginxproxymanager/nginx-full, hasn't seen an update in 9 months!

I have a faint suspicion that most of the issues folks have had in this thread are due to using the deprecated image, IF it truly is deprecated.

I did try spinning up a container with the following docker-compose, but the container exits with code 0 immediately, so I think the ENTRYPOINT may be wrong somewhere.

docker-compose.yaml

version: '3.8'
networks:
  default:
    external: true
    name: outbound
 
services:
  app:
    image: 'nginxproxymanager/nginx-full:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    volumes:
      - ./data/data:/data
      - ./data/letsencrypt:/etc/letsencrypt

networks:
  default:
    external: true

<!-- gh-comment-id:1872442291 --> @nsaccente commented on GitHub (Dec 30, 2023): First time caller, long time listener. I noticed that the [jc21/nginx-full](https://hub.docker.com/r/jc21/nginx-full) has been deprecated in favor of using [nginxproxymanager/nginx-full](https://hub.docker.com/r/nginxproxymanager/nginx-full), although, I'm not sure when it was marked deprecated. Even more damning is the fact that the `develop` **and** `master` branches of this repo's README's both use example docker-compose files that still use the `jc21/nginx-proxy-manager:latest` image. Strangely enough, it looks like @jc21's account pushed a new image just 12 hours ago, despite this repo not having seen a commit since last month. Even stranger, is that the new image, nginxproxymanager/nginx-full, hasn't seen an update in 9 months! I have a faint suspicion that most of the issues folks have had in this thread are due to using the deprecated image, IF it truly is deprecated. I did try spinning up a container with the following docker-compose, but the container exits with code 0 immediately, so I think the `ENTRYPOINT` may be wrong somewhere. <details> <summary>docker-compose.yaml</summary> ``` version: '3.8' networks: default: external: true name: outbound services: app: image: 'nginxproxymanager/nginx-full:latest' restart: unless-stopped ports: # These ports are in format <host-port>:<container-port> - '80:80' # Public HTTP Port - '443:443' # Public HTTPS Port - '81:81' # Admin Web Port # Add any other Stream port you want to expose # - '21:21' # FTP # Uncomment the next line if you uncomment anything in the section volumes: - ./data/data:/data - ./data/letsencrypt:/etc/letsencrypt networks: default: external: true ``` </details>

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@etymotic commented on GitHub (Dec 30, 2023):

@nsaccente interesting. I haven't had a chance to play with it, but try nginxproxymanager/nginx-proxy-manager:latest

<!-- gh-comment-id:1872550578 --> @etymotic commented on GitHub (Dec 30, 2023): @nsaccente interesting. I haven't had a chance to play with it, but try `nginxproxymanager/nginx-proxy-manager:latest`

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@nsaccente commented on GitHub (Dec 31, 2023):

@etymotic , I attached my docker-compose contents as a <details> element; already using nginxproxymanager/nginx-proxy-manager:latest but no cigar.

<!-- gh-comment-id:1872633586 --> @nsaccente commented on GitHub (Dec 31, 2023): @etymotic , I attached my docker-compose contents as a `<details>` element; already using `nginxproxymanager/nginx-proxy-manager:latest` but no cigar.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@nsaccente commented on GitHub (Dec 31, 2023):

Update, it appears that my ISP has changed my IP, which has been the cause of all my troubles. Updating my domain provider's dns with my new IP did just the trick. I guess I can't put off setting up dyndns any longer 🤷

The error message provided by NPM is... vague at best... misguiding at worst.

Despite this small victory, the following are still true:

1. nginxproxymanager/nginx-proxy-manager:latest still exits immediately.
2. jc21/nginx-proxy-manager:latest is the image I got working (however, I'll be pinning to 2.9.18, and manually updating image versions)
3. The DEPRECATED sentiment on the jc21 image is ... wrong? It's supposed successor crashes on startup and isn't being regularly built

For those having trouble with NPM's SSL certification feature, please make certain that the IP of your server is still valid!

<!-- gh-comment-id:1872648071 --> @nsaccente commented on GitHub (Dec 31, 2023): Update, it appears that my ISP has changed my IP, which has been the cause of all my troubles. Updating my domain provider's dns with my new IP did just the trick. I guess I can't put off setting up dyndns any longer :shrug: The error message provided by NPM is... vague at best... misguiding at worst. Despite this small victory, the following are still true: 1. `nginxproxymanager/nginx-proxy-manager:latest` still exits immediately. 2. `jc21/nginx-proxy-manager:latest` is the image I got working (however, I'll be pinning to `2.9.18`, and manually updating image versions) 3. The `DEPRECATED` sentiment on the jc21 image is ... wrong? It's supposed successor crashes on startup and isn't being regularly built For those having trouble with NPM's SSL certification feature, please make certain that the IP of your server is still valid!

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@moviemakr1620 commented on GitHub (Jan 15, 2024):

The only way I was able to get SSL is to Add host and request the SSL through the Host setup process.

Same here but i want to get a wildcard ssl. doing it this way won't let me.

<!-- gh-comment-id:1891178203 --> @moviemakr1620 commented on GitHub (Jan 15, 2024): > The only way I was able to get SSL is to Add host and request the SSL through the Host setup process. > >  Same here but i want to get a wildcard ssl. doing it this way won't let me.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@smibrandon commented on GitHub (Apr 1, 2024):

I found a fix for my issue: allocating more storage space.

Running NPM in a Proxmox CT (no docker at all), and happened to catch that it was at 96% of its storage. I gave it some extra, and boom. Worked!

<!-- gh-comment-id:2030288067 --> @smibrandon commented on GitHub (Apr 1, 2024): I found a fix for my issue: allocating more storage space. Running NPM in a Proxmox CT (no docker at all), and happened to catch that it was at 96% of its storage. I gave it some extra, and boom. Worked!

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@Deses commented on GitHub (Apr 20, 2024):

Look. This might seem silly, but I was also having this problem.

Turns out my problem is that I enabled basic WAF protection in my Cloudflare to block anything not coming from Spain and to block Bots.

Well, obviously that blocked Let's Encrypt bot not residing on Spain. Duh. I disabled the filters and it's now working nicely.

I thought I'd leave my 5 cents here if anyone else has been having problems with this.

<!-- gh-comment-id:2067764965 --> @Deses commented on GitHub (Apr 20, 2024): Look. This might seem silly, but I was also having this problem. Turns out my problem is that I enabled basic WAF protection in my Cloudflare to block anything not coming from Spain and to block Bots. Well, obviously that blocked Let's Encrypt bot not residing on Spain. Duh. I disabled the filters and it's now working nicely. I thought I'd leave my 5 cents here if anyone else has been having problems with this.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@RobustMarker commented on GitHub (Apr 25, 2024):

Well, obviously that blocked Let's Encrypt bot not residing on Spain. Duh. I disabled the filters and it's now working nicely.

I had a very similar issue, along with my isp blocking port 80 and not telling me. No wonder i coudnt renew my cert. (im also in spain, maybe isps are renewing security configs?)

Thought id also leave my 5 cents.

<!-- gh-comment-id:2076932624 --> @RobustMarker commented on GitHub (Apr 25, 2024): > Well, obviously that blocked Let's Encrypt bot not residing on Spain. Duh. I disabled the filters and it's now working nicely. I had a very similar issue, along with my isp blocking port 80 and not telling me. No wonder i coudnt renew my cert. (im also in spain, maybe isps are renewing security configs?) Thought id also leave my 5 cents.

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@abduroshyd commented on GitHub (May 15, 2024):

https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work.

Thanks, it has fixed my issue. Thanks for sharing the fix.

The following commands ran in the container fixed the issue. cd /opt/certbot /opt/certbot/bin/pip install certbot==2.6.0 /opt/certbot/bin/pip install -U certbot-dns-godaddy . /opt/certbot/bin/activate && pip install --upgrade pyopenssl

Its not worked for me 🥲

<!-- gh-comment-id:2112047584 --> @abduroshyd commented on GitHub (May 15, 2024): > > https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work. > > Thanks, it has fixed my issue. Thanks for sharing the fix. > > The following commands ran in the container fixed the issue. `cd /opt/certbot` `/opt/certbot/bin/pip install certbot==2.6.0` `/opt/certbot/bin/pip install -U certbot-dns-godaddy` `. /opt/certbot/bin/activate && pip install --upgrade pyopenssl` Its not worked for me 🥲

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@BartAgterbosch commented on GitHub (May 15, 2024):

https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work.

Thanks, it has fixed my issue. Thanks for sharing the fix.
The following commands ran in the container fixed the issue. cd /opt/certbot /opt/certbot/bin/pip install certbot==2.6.0 /opt/certbot/bin/pip install -U certbot-dns-godaddy . /opt/certbot/bin/activate && pip install --upgrade pyopenssl

Its not worked for me 🥲

Did you by any chance disable "Block Common Exploits" before renewing the cert? If not then try that (Also wait an hour or so first if you've been spamming the renew button a lot)

<!-- gh-comment-id:2112061973 --> @BartAgterbosch commented on GitHub (May 15, 2024): > > > https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work. > > > > > > Thanks, it has fixed my issue. Thanks for sharing the fix. > > The following commands ran in the container fixed the issue. `cd /opt/certbot` `/opt/certbot/bin/pip install certbot==2.6.0` `/opt/certbot/bin/pip install -U certbot-dns-godaddy` `. /opt/certbot/bin/activate && pip install --upgrade pyopenssl` > > Its not worked for me 🥲 Did you by any chance disable "Block Common Exploits" before renewing the cert? If not then try that (Also wait an hour or so first if you've been spamming the renew button a lot)

kerem commented 2026-02-26 07:31:07 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Nov 27, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2502505367 --> @github-actions[bot] commented on GitHub (Nov 27, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:31:08 +03:00

Author

Owner

Copy link

@prom00 commented on GitHub (Nov 27, 2024):

I've been adding multiple domains lately and I didn't have any issues anymore. Seems like this has been fixed or it has fixed itself....

<!-- gh-comment-id:2503113875 --> @prom00 commented on GitHub (Nov 27, 2024): I've been adding multiple domains lately and I didn't have any issues anymore. Seems like this has been fixed or it has fixed itself....

kerem commented 2026-02-26 07:31:08 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Nov 27, 2024):

The issue for me was always with renewals rather that the initial domain add - #3121 fixes it for me though.

<!-- gh-comment-id:2503249144 --> @EDIflyer commented on GitHub (Nov 27, 2024): The issue for me was always with renewals rather that the initial domain add - #3121 fixes it for me though.

kerem commented 2026-02-26 07:31:08 +03:00

Author

Owner

Copy link

@prom00 commented on GitHub (Nov 27, 2024):

I just successfully (manually) refreshed my certs:

<!-- gh-comment-id:2503286651 --> @prom00 commented on GitHub (Nov 27, 2024): I just successfully (manually) refreshed my certs: 

kerem commented 2026-02-26 07:31:08 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Nov 27, 2024):

Interesting, all with local per site certs as opposed to DNS ones? Certainly when I tried latest recently it still didn't work and I had to rebase my PR onto latest to her it working (the ACME 'well-known' challenge wasn't getting through otherwise.

<!-- gh-comment-id:2503329506 --> @EDIflyer commented on GitHub (Nov 27, 2024): Interesting, all with local per site certs as opposed to DNS ones? Certainly when I tried latest recently it still didn't work and I had to rebase my PR onto latest to her it working (the ACME 'well-known' challenge wasn't getting through otherwise.

kerem commented 2026-02-26 07:31:08 +03:00

Author

Owner

Copy link

@prom00 commented on GitHub (Nov 27, 2024):

I used to have issues before too.

Those certs I just renewed are all like this:

subDomainA@domain.com
subDomainB@domain.com
subDomainC@domain.com
subDomainD@domain.com

<!-- gh-comment-id:2503338886 --> @prom00 commented on GitHub (Nov 27, 2024): I used to have issues before too. Those certs I just renewed are all like this: subDomainA@domain.com subDomainB@domain.com subDomainC@domain.com subDomainD@domain.com

kerem commented 2026-02-26 07:31:08 +03:00

Author

Owner

Copy link

@fquinto commented on GitHub (Feb 12, 2025):

The problem was with my DNS configuration. I was using a CNAME record, which I changed to an A record. This fixed the issue.

<!-- gh-comment-id:2653934491 --> @fquinto commented on GitHub (Feb 12, 2025): The problem was with my DNS configuration. I was using a CNAME record, which I changed to an A record. This fixed the issue.

kerem commented 2026-02-26 07:31:08 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Aug 17, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3194062419 --> @github-actions[bot] commented on GitHub (Aug 17, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:31:08 +03:00

Author

Owner

Copy link

@timnolte commented on GitHub (Aug 17, 2025):

I'm not confident that this is actually fixed yet.

<!-- gh-comment-id:3194131051 --> @timnolte commented on GitHub (Aug 17, 2025): I'm not confident that this is actually fixed yet.

kerem commented 2026-02-26 07:31:08 +03:00

Author

Owner

Copy link

@rodoudcom commented on GitHub (Feb 23, 2026):

Feb 2026

<!-- gh-comment-id:3947318607 --> @rodoudcom commented on GitHub (Feb 23, 2026): Feb 2026

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1453

No description provided.