[GH-ISSUE #2254] wrong certificate being served after editing access list

kerem commented

2026-02-26 07:31:45 +03:00

Owner

Originally created by @watn3y on GitHub (Sep 6, 2022).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2254

Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
- Yes
Are you sure you're not using someone else's docker image?
- Yes
Have you searched for similar issues (both open and closed)?
- Yes

Describe the bug
Sometimes, and I can't really pin down when, HTTPS sites added in NPM break. This can happen after a container-restart or during normal operation. When this happens, chrome reports either ERR_HTTP2_PROTOCOL_ERROR or NET::ERR_CERT_AUTHORITY_INVALID with a certificate issued to and from localhost. Restarting the container or the host doesn't seem to fix this issue.

Accessing the same URL over HTTP instead of HTTPS works perfectly fine.

The only reliable way to fix this seems to be to click Edit and then Save on each individual Proxy Host.

Nginx Proxy Manager Version
v2.9.18

Expected behavior
NPM directs the traffic normally

Screenshots

Operating System
debian 11

Originally created by @watn3y on GitHub (Sep 6, 2022). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2254 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** Sometimes, and I can't really pin down when, HTTPS sites added in NPM break. This can happen after a container-restart or during normal operation. When this happens, chrome reports either `ERR_HTTP2_PROTOCOL_ERROR ` or `NET::ERR_CERT_AUTHORITY_INVALID` with a certificate issued to and from localhost. Restarting the container or the host doesn't seem to fix this issue. Accessing the same URL over HTTP instead of HTTPS works perfectly fine. The only reliable way to fix this seems to be to click Edit and then Save on each individual Proxy Host. **Nginx Proxy Manager Version** v2.9.18 **Expected behavior** NPM directs the traffic normally **Screenshots** ![image](https://user-images.githubusercontent.com/64812615/188692460-b970eedd-32f5-413d-887b-d303ecd39822.png) **Operating System** debian 11

kerem

2026-02-26 07:31:45 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@qbiecom commented on GitHub (Sep 11, 2022):

I can replicate this if I edit the whitelist which is applied to my sites I get the 'localhost' certificate.

The steps detailed (clicking on each site to edit, the saving without changing anything) fixes it.

@qbiecom commented on GitHub (Sep 11, 2022): I can replicate this if I edit the whitelist which is applied to my sites I get the 'localhost' certificate. The steps detailed (clicking on each site to edit, the saving without changing anything) fixes it.

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@timothevs commented on GitHub (Sep 26, 2022):

I too can replicate this - same steps as above. It is a pain to go through 30+ sites every few weeks.

@timothevs commented on GitHub (Sep 26, 2022): I too can replicate this - same steps as above. It is a pain to go through 30+ sites every few weeks.

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@tsvane commented on GitHub (Oct 4, 2022):

Same problem here. Heres a dump of the config before and after reapplying settings through the WebUI.

Take a look at the sections around the "listen 443" settings (line 14-15) and "Let's Encrypt" (line 21-25), it seems that parts of the config is replaced by whitespaces.

Before:

# ------------------------------------------------------------
# nginxpm.______.dk
# ------------------------------------------------------------


server {
  set $forward_scheme http;
  set $server         "docker3.______.local";
  set $port           18081;

  listen 80;
#listen [::]:80;

					 
				 


  server_name nginxpm.______.dk;


					 
														 
										  
															
															  




# Asset Caching
  include conf.d/include/assets.conf;


  # Block Exploits
  include conf.d/include/block-exploits.conf;







			   
										  





  access_log /data/logs/proxy-host-1_access.log proxy;
  error_log /data/logs/proxy-host-1_error.log warn;







  location / {




    # Access Rules
    allow 192.168.30.100;
    allow 192.168.30.200;
    allow 192.168.30.0/24;
    deny all;

    # Access checks must...

    satisfy all;









    # Proxy!
    include conf.d/include/proxy.conf;
  }


  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

After:

# ------------------------------------------------------------
# nginxpm.______.dk
# ------------------------------------------------------------


server {
  set $forward_scheme http;
  set $server         "docker3.______.local";
  set $port           18081;

  listen 80;
#listen [::]:80;

listen 443 ssl http2;
#listen [::]:443;


  server_name nginxpm.______.dk;


  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-2/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-2/privkey.pem;




# Asset Caching
  include conf.d/include/assets.conf;


  # Block Exploits
  include conf.d/include/block-exploits.conf;







    # Force SSL
    include conf.d/include/force-ssl.conf;





  access_log /data/logs/proxy-host-1_access.log proxy;
  error_log /data/logs/proxy-host-1_error.log warn;







  location / {




    # Access Rules
    allow 192.168.30.100;
    allow 192.168.30.200;
    allow 192.168.30.0/24;
    deny all;

    # Access checks must...

    satisfy all;









    # Proxy!
    include conf.d/include/proxy.conf;
  }


  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

@tsvane commented on GitHub (Oct 4, 2022): Same problem here. Heres a dump of the config before and after reapplying settings through the WebUI. Take a look at the sections around the "listen 443" settings (line 14-15) and "Let's Encrypt" (line 21-25), it seems that parts of the config is replaced by whitespaces. ![image](https://user-images.githubusercontent.com/20986715/193911605-63c31d3c-6aca-46c8-8770-d4f2ee68875b.png) Before: ``` # ------------------------------------------------------------ # nginxpm.______.dk # ------------------------------------------------------------ server { set $forward_scheme http; set $server "docker3.______.local"; set $port 18081; listen 80; #listen [::]:80; server_name nginxpm.______.dk; # Asset Caching include conf.d/include/assets.conf; # Block Exploits include conf.d/include/block-exploits.conf; access_log /data/logs/proxy-host-1_access.log proxy; error_log /data/logs/proxy-host-1_error.log warn; location / { # Access Rules allow 192.168.30.100; allow 192.168.30.200; allow 192.168.30.0/24; deny all; # Access checks must... satisfy all; # Proxy! include conf.d/include/proxy.conf; } # Custom include /data/nginx/custom/server_proxy[.]conf; } ``` After: ``` # ------------------------------------------------------------ # nginxpm.______.dk # ------------------------------------------------------------ server { set $forward_scheme http; set $server "docker3.______.local"; set $port 18081; listen 80; #listen [::]:80; listen 443 ssl http2; #listen [::]:443; server_name nginxpm.______.dk; # Let's Encrypt SSL include conf.d/include/letsencrypt-acme-challenge.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-2/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-2/privkey.pem; # Asset Caching include conf.d/include/assets.conf; # Block Exploits include conf.d/include/block-exploits.conf; # Force SSL include conf.d/include/force-ssl.conf; access_log /data/logs/proxy-host-1_access.log proxy; error_log /data/logs/proxy-host-1_error.log warn; location / { # Access Rules allow 192.168.30.100; allow 192.168.30.200; allow 192.168.30.0/24; deny all; # Access checks must... satisfy all; # Proxy! include conf.d/include/proxy.conf; } # Custom include /data/nginx/custom/server_proxy[.]conf; } ```

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@rachelf42 commented on GitHub (Oct 7, 2022):

same problem here, same solution
i did notice that it happened when i saved a modification to my restricted access list and it only affected vhosts set to that access list

@rachelf42 commented on GitHub (Oct 7, 2022): same problem here, same solution i did notice that it happened when i saved a modification to my restricted access list and it only affected vhosts set to that access list

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@outerregion commented on GitHub (Nov 12, 2022):

Adding this here as I had opened #2392 for the same issue. A short term, brute force work around is a cronjob to backup any .conf that contains letsencrypt every other minute and put it back every 5 minutes. It's messy, but it's keeping the ssl for now.

*/5 * * * * rsync -az /root/npm/ /root/docker/nginx-proxy-manager/data/nginx/proxy_host/ >/dev/null 2>&1
1-59/2 * * * * find . -type f -exec grep -lr "letsencrypt-acme-challenge" {} ; -exec cp -r {} /root/npm/ ; >/dev/null 2>&1

@outerregion commented on GitHub (Nov 12, 2022): Adding this here as I had opened #2392 for the same issue. A short term, brute force work around is a cronjob to backup any .conf that contains letsencrypt every other minute and put it back every 5 minutes. It's messy, but it's keeping the ssl for now. */5 * * * * rsync -az /root/npm/ /root/docker/nginx-proxy-manager/data/nginx/proxy_host/ >/dev/null 2>&1 1-59/2 * * * * find . -type f -exec grep -lr "letsencrypt-acme-challenge" {} ; -exec cp -r {} /root/npm/ ; >/dev/null 2>&1

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@derekoharrow commented on GitHub (Nov 21, 2022):

Just wanted to add a 'me too' to this - same problem, same workaround. Annoying when you have lots of proxy hosts that you manually have to edit and save (or disable/enable).

@derekoharrow commented on GitHub (Nov 21, 2022): Just wanted to add a 'me too' to this - same problem, same workaround. Annoying when you have lots of proxy hosts that you manually have to edit and save (or disable/enable).

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@tsvane commented on GitHub (Nov 23, 2022):

Automation of Edit+Save work around with Powershell

$Username = ""
$Password = ""
$NginxPMServer = "http://<ip>:<port>"

# Do login returning Bearer token
$LoginResponse = Invoke-WebRequest -UseBasicParsing -Uri "$($NginxPMServer)/api/tokens" -Method "POST" -ContentType "application/json; charset=UTF-8" -Body "{`"identity`":`"$($Username)`",`"secret`":`"$($Password)`"}"
$Bearer = ($LoginResponse.content | ConvertFrom-Json).token

# Request current config from Nginx Proxy Manager
$CurrentConfigResponse = Invoke-WebRequest -UseBasicParsing -Uri "$($NginxPMServer)/api/nginx/proxy-hosts?expand=owner,access_list,certificate" `
    -Headers @{
    "method"        = "GET"
    "authorization" = "Bearer $($Bearer)"
} -ContentType "application/json; charset=UTF-8"
$CurrentConfig = $CurrentConfigResponse.Content | ConvertFrom-Json;

# Loop current config to re-apply and trigger re-write of conf-files
for ($i = 0; $i -lt $CurrentConfig.Count; $i++) {
    $Config = $CurrentConfig[$i]

    $HostID = $Config.id
    $PutObject = $Config | Where-Object { $_.id -eq $HostID } | Select-Object domain_names, forward_scheme, forward_host, forward_port, caching_enabled, block_exploits, allow_websocket_upgrade, access_list_id, certificate_id, ssl_forced, http2_support, meta, advanced_config, locations, hsts_enabled, hsts_subdomains | ConvertTo-Json

    Write-Host "[$(($i+1).ToString().PadLeft(3," ")) of $($CurrentConfig.Count) ] Updating config for Proxy Host #$($HostID)"
    Write-Host "`tDomain:  $($Config.domain_names[0])"

    $PutStatistics = Measure-Command -Expression {
        Invoke-WebRequest -UseBasicParsing -Uri "$($NginxPMServer)/api/nginx/proxy-hosts/$($HostID)" `
            -Method "PUT" -Headers @{
            "method"        = "PUT"
            "authorization" = "Bearer $($Bearer)"
        } -ContentType "application/json; charset=UTF-8" -Body $PutObject
    }

    Write-Host "`tCompleted in $([math]::Round($PutStatistics.TotalMilliseconds)) ms"
}

@tsvane commented on GitHub (Nov 23, 2022): Automation of Edit+Save work around with Powershell ``` $Username = "" $Password = "" $NginxPMServer = "http://<ip>:<port>" # Do login returning Bearer token $LoginResponse = Invoke-WebRequest -UseBasicParsing -Uri "$($NginxPMServer)/api/tokens" -Method "POST" -ContentType "application/json; charset=UTF-8" -Body "{`"identity`":`"$($Username)`",`"secret`":`"$($Password)`"}" $Bearer = ($LoginResponse.content | ConvertFrom-Json).token # Request current config from Nginx Proxy Manager $CurrentConfigResponse = Invoke-WebRequest -UseBasicParsing -Uri "$($NginxPMServer)/api/nginx/proxy-hosts?expand=owner,access_list,certificate" ` -Headers @{ "method" = "GET" "authorization" = "Bearer $($Bearer)" } -ContentType "application/json; charset=UTF-8" $CurrentConfig = $CurrentConfigResponse.Content | ConvertFrom-Json; # Loop current config to re-apply and trigger re-write of conf-files for ($i = 0; $i -lt $CurrentConfig.Count; $i++) { $Config = $CurrentConfig[$i] $HostID = $Config.id $PutObject = $Config | Where-Object { $_.id -eq $HostID } | Select-Object domain_names, forward_scheme, forward_host, forward_port, caching_enabled, block_exploits, allow_websocket_upgrade, access_list_id, certificate_id, ssl_forced, http2_support, meta, advanced_config, locations, hsts_enabled, hsts_subdomains | ConvertTo-Json Write-Host "[$(($i+1).ToString().PadLeft(3," ")) of $($CurrentConfig.Count) ] Updating config for Proxy Host #$($HostID)" Write-Host "`tDomain: $($Config.domain_names[0])" $PutStatistics = Measure-Command -Expression { Invoke-WebRequest -UseBasicParsing -Uri "$($NginxPMServer)/api/nginx/proxy-hosts/$($HostID)" ` -Method "PUT" -Headers @{ "method" = "PUT" "authorization" = "Bearer $($Bearer)" } -ContentType "application/json; charset=UTF-8" -Body $PutObject } Write-Host "`tCompleted in $([math]::Round($PutStatistics.TotalMilliseconds)) ms" } ```

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@tayfunyasar commented on GitHub (Dec 3, 2022):

I'm having same problem.

@tayfunyasar commented on GitHub (Dec 3, 2022): I'm having same problem.

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@peterge1998 commented on GitHub (Dec 18, 2022):

When I set everything up a month ago, everything was working fine. Today my site just shows this when accessing through firefox:

@peterge1998 commented on GitHub (Dec 18, 2022): When I set everything up a month ago, everything was working fine. Today my site just shows this when accessing through firefox: ![image](https://user-images.githubusercontent.com/47355238/208311210-178a41ed-637e-4a73-b1bd-d4397a7d7bc3.png)

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@qwrtty commented on GitHub (Dec 27, 2022):

I am also experiencing this issue on v2.9.19, every time I add a new user to an Access List. The workaround by @tsvane works, but I'm really looking forward to the day this is fixed.

@qwrtty commented on GitHub (Dec 27, 2022): I am also experiencing this issue on v2.9.19, every time I add a new user to an Access List. The workaround by @tsvane works, but I'm really looking forward to the day this is fixed.

kerem commented

2026-02-26 07:31:45 +03:00

Author

Owner

@adrichman commented on GitHub (Dec 29, 2022):

can confirm I'm experiencing this consistently whenever there's a restarting of a backend service container that's being proxied to through npm

@adrichman commented on GitHub (Dec 29, 2022): can confirm I'm experiencing this consistently whenever there's a restarting of a backend service container that's being proxied to through npm

Rows
Columns

[GH-ISSUE #2254] wrong certificate being served after editing access list #1606