starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-26 01:45:54 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #2258] LetsEncrypt Fails When Force SSL is On #1607

New issue
Closed
opened 2026-02-26 07:31:45 +03:00 by kerem · 2 comments
kerem commented 2026-02-26 07:31:45 +03:00
Owner
Copy link

Originally created by @MeCJay12 on GitHub (Sep 9, 2022).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2258

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug
Running NPM behind an Nginx reverse proxy on port 80 (not 443). This is so that Nginx can dynamically redirect LetsEncrypt challenges to any domain rather than having to enter every domain.sub-domain into HAProxy on my router. When behind Nginx, NPM is upgrading LetsEncrypt challenges to HTTPS when the Force SSL switch is on. When switch is off, LetsEncrypt works correctly.

Nginx Proxy Manager Version
v2.9.18

To Reproduce
NPM:

docker run -d \
	--restart always \
	--network better_bridge \
	--name NPM \
	-p 80:80 \
	-p 81:81 \
	-p 443:443 \
	-v /mnt/Docker/NPM/data/:/data/ \
	-v /mnt/Docker/NPM/certs/:/etc/letsencrypt/ \
	-v /mnt/Docker/NPM/conf.d/resolvers.conf:/etc/nginx/conf.d/include/resolvers.conf:ro \
    -e DB_MYSQL_HOST="MySQL." \
    -e DB_MYSQL_PORT=3306 \
    -e DB_MYSQL_USER="NPM" \
    -e DB_MYSQL_PASSWORD="password" \
    -e DB_MYSQL_NAME="NPM" \
	-e X_FRAME_OPTIONS="sameorigin" \
	-e TZ="America/New_York" \
	jc21/nginx-proxy-manager

For questions about the resolvers mount see here.

No config in Custom Locations or Advanced; Most importantly, Force SSL is on:

Proxy1
Proxy2

Nginx proxy in front of NPM:

docker run -d \
	--restart always \
	--network better_bridge \
	-p 82:80 \
	--name Nginx \
	-v /mnt/Docker/Nginx/:/etc/nginx/conf.d/:ro \
	nginx

Where the conf file mounted is:

server {
        listen 80;
        listen [::]:80;

        resolver 127.0.0.11 valid=10s;

        location ^~ /.well-known/acme-challenge/ {
                proxy_pass http://$host$request_uri;
        }

        location / {
                return 301 https://$host$request_uri;
        }
}

Otherwise, pot 80 on my firewall is forwarded to port 82 on my docker host. The ideal flow is ext_ip:80 -> docker:82 -> Nginx container -> NPM which is working but when I pcap my bridge network while running a LetsEncrypt renewal (dry-run) I see the LE challenges being upgraded to HTTPS and the client is reporting a timeout:

PCAP

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-10.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for oc.example.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: oc.example.com
  Type:   connection
  Detail: 1.2.3.4: Fetching https://oc.example.com/.well-known/acme-challenge/YbSLIC2rTEvvQKGEoM2Q5WeNWIfmsJdgS0h6BbPie3w: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate npm-10 with error: Some challenges have failed.

Expected behavior
LetsEncrypt should be able to renew certs behind another Nginx proxy.

Operating System
Ubuntu 20

Originally created by @MeCJay12 on GitHub (Sep 9, 2022). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2258 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** Running NPM behind an Nginx reverse proxy on port 80 (not 443). This is so that Nginx can dynamically redirect LetsEncrypt challenges to any domain rather than having to enter every domain.sub-domain into HAProxy on my router. When behind Nginx, NPM is upgrading LetsEncrypt challenges to HTTPS when the Force SSL switch is on. When switch is off, LetsEncrypt works correctly. **Nginx Proxy Manager Version** v2.9.18 **To Reproduce** NPM: ``` docker run -d \ --restart always \ --network better_bridge \ --name NPM \ -p 80:80 \ -p 81:81 \ -p 443:443 \ -v /mnt/Docker/NPM/data/:/data/ \ -v /mnt/Docker/NPM/certs/:/etc/letsencrypt/ \ -v /mnt/Docker/NPM/conf.d/resolvers.conf:/etc/nginx/conf.d/include/resolvers.conf:ro \ -e DB_MYSQL_HOST="MySQL." \ -e DB_MYSQL_PORT=3306 \ -e DB_MYSQL_USER="NPM" \ -e DB_MYSQL_PASSWORD="password" \ -e DB_MYSQL_NAME="NPM" \ -e X_FRAME_OPTIONS="sameorigin" \ -e TZ="America/New_York" \ jc21/nginx-proxy-manager ``` For questions about the resolvers mount see [here](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2241). No config in Custom Locations or Advanced; Most importantly, Force SSL is on: ![Proxy1](https://user-images.githubusercontent.com/43658705/189271559-8de40f8a-3c40-45cd-b396-3ff9020496a1.png) ![Proxy2](https://user-images.githubusercontent.com/43658705/189271660-aafae9a3-2e12-477b-ad2f-4a0cbfd0b56d.png) Nginx proxy in front of NPM: ``` docker run -d \ --restart always \ --network better_bridge \ -p 82:80 \ --name Nginx \ -v /mnt/Docker/Nginx/:/etc/nginx/conf.d/:ro \ nginx ``` Where the conf file mounted is: ``` server { listen 80; listen [::]:80; resolver 127.0.0.11 valid=10s; location ^~ /.well-known/acme-challenge/ { proxy_pass http://$host$request_uri; } location / { return 301 https://$host$request_uri; } } ``` Otherwise, pot 80 on my firewall is forwarded to port 82 on my docker host. The ideal flow is ext_ip:80 -> docker:82 -> Nginx container -> NPM which is working but when I pcap my bridge network while running a LetsEncrypt renewal (dry-run) I see the LE challenges being upgraded to HTTPS and the client is reporting a timeout: ![PCAP](https://user-images.githubusercontent.com/43658705/189272801-de5e6b46-b9fe-4835-8d7e-23801bd8800f.png) ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/npm-10.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for oc.example.com Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: oc.example.com Type: connection Detail: 1.2.3.4: Fetching https://oc.example.com/.well-known/acme-challenge/YbSLIC2rTEvvQKGEoM2Q5WeNWIfmsJdgS0h6BbPie3w: Timeout during connect (likely firewall problem) Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. Failed to renew certificate npm-10 with error: Some challenges have failed. ``` **Expected behavior** LetsEncrypt should be able to renew certs behind another Nginx proxy. **Operating System** Ubuntu 20
kerem 2026-02-26 07:31:45 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-26 07:31:45 +03:00
Author
Owner
Copy link

@Schlumpf9 commented on GitHub (Sep 9, 2022):

push, btw duplicate https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1625

<!-- gh-comment-id:1241706561 --> @Schlumpf9 commented on GitHub (Sep 9, 2022): push, btw duplicate https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1625
kerem commented 2026-02-26 07:31:45 +03:00
Author
Owner
Copy link

@MeCJay12 commented on GitHub (Sep 9, 2022):

Whoops

<!-- gh-comment-id:1241974413 --> @MeCJay12 commented on GitHub (Sep 9, 2022): Whoops
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#1607
No description provided.