starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00

[GH-ISSUE #2536] Certificate Chain invalid with LE and NPM #1769

New issue

Closed

opened 2026-02-26 07:32:23 +03:00 by kerem · 4 comments

kerem commented

2026-02-26 07:32:23 +03:00

Owner

Originally created by @lordimac on GitHub (Jan 12, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2536

Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
- Yes
Are you sure you're not using someone else's docker image?
- Yes
Have you searched for similar issues (both open and closed)?
- Yes

Describe the bug
We are using NPM with Lets Encrypt Certificates. After creating a Host and issueing the certificate everything works fine on modern browsers and latest systems. Certificate is valid. But if we try to open the website on an older system, like Android 7, the SSL validation gets failed. It looks like this is because of an old and invalid root certificate. If we check the website with sslchecker.com it tells us also also that CHAIN CERT 1 and ROOT 1 is missing. If we check the chain details, we see that DST Root CA X3 and a NA cert are invalid since 29/30 september 2021. If I check letsencrypt.org with sslchecker.com everything is fine.

Nginx Proxy Manager Version
v2.9.19

To Reproduce
Steps to reproduce the behavior:
Create Cert for Domain and check with sslchecker.com

Screenshots

Operating System
Android 7.0

Originally created by @lordimac on GitHub (Jan 12, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2536 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** We are using NPM with Lets Encrypt Certificates. After creating a Host and issueing the certificate everything works fine on modern browsers and latest systems. Certificate is valid. But if we try to open the website on an older system, like Android 7, the SSL validation gets failed. It looks like this is because of an old and invalid root certificate. If we check the website with sslchecker.com it tells us also also that CHAIN CERT 1 and ROOT 1 is missing. If we check the chain details, we see that DST Root CA X3 and a NA cert are invalid since 29/30 september 2021. If I check letsencrypt.org with sslchecker.com everything is fine. **Nginx Proxy Manager Version** v2.9.19 **To Reproduce** Steps to reproduce the behavior: Create Cert for Domain and check with sslchecker.com **Screenshots** ![firefox_2023-01-12_11-26-03](https://user-images.githubusercontent.com/2249102/212042523-eb2bebe1-c3f5-430b-ab35-d4ae04b84d15.png) **Operating System** Android 7.0

kerem

2026-02-26 07:32:23 +03:00

closed this issue
added the
stale

bug
labels

kerem commented

2026-02-26 07:32:23 +03:00

Author

Owner

@lordimac commented on GitHub (Jan 12, 2023):

OK, I commented the following line in letsencrypt.ini
preferred-chain = ISRG Root X1

After removing and reissueing the certificate, I get a valid chain.

@lordimac commented on GitHub (Jan 12, 2023): OK, I commented the following line in letsencrypt.ini `preferred-chain = ISRG Root X1` After removing and reissueing the certificate, I get a valid chain. ![firefox_2023-01-12_13-20-12](https://user-images.githubusercontent.com/2249102/212065073-419db997-7090-4f61-8a30-e6195438f280.png)

kerem commented

2026-02-26 07:32:23 +03:00

Author

Owner

@Shineson1001 commented on GitHub (Jan 13, 2023):

Hi,

i have nearly the same problem. I downloaded the certificate from the NPM "SSL Certificates" page and use use it with a GitLab server.

If you use the "GitHub Desktop" Client and try to connect to the GitLab server, you get this error message:

If you create the certificate with the certbot tool (Docker image "certbot/certbot": docker run -it certbot/certbot ....), the "GitHub Desktop" Client works fine; you do not get any error messages.

The chain.pem from NPM contains only one certificate; only the intermediate certificate from LetsEncrypt.

openssl crl2pkcs7 -nocrl -certfile ./npm/chain.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

The chain.pem from certbot contains two certificates.

openssl crl2pkcs7 -nocrl -certfile ./certbot/chain.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3

Same with the fullchain.pem:
NPM contains two certificates und certbot contains three certificates.

Is it possible to create chain files with the complete chain?
=> chain.pem = intermediate and root certificate
=> fullchain.pem = intermediate, root and server certificate

@Shineson1001 commented on GitHub (Jan 13, 2023): Hi, i have nearly the same problem. I downloaded the certificate from the NPM "SSL Certificates" page and use use it with a GitLab server. ![grafik](https://user-images.githubusercontent.com/22273771/212309260-8e273c76-e0c9-4ef9-a0f0-867ade857793.png) If you use the "GitHub Desktop" Client and try to connect to the GitLab server, you get this error message: ![grafik](https://user-images.githubusercontent.com/22273771/212309428-214fa5d8-2f86-4488-8154-6b01be0f300a.png) If you create the certificate with the certbot tool (Docker image "certbot/certbot": docker run -it certbot/certbot ....), the "GitHub Desktop" Client works fine; you do not get any error messages. The chain.pem from NPM contains only one certificate; only the intermediate certificate from LetsEncrypt. ``` openssl crl2pkcs7 -nocrl -certfile ./npm/chain.pem | openssl pkcs7 -print_certs -noout subject=C = US, O = Let's Encrypt, CN = R3 issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 ``` The chain.pem from certbot contains two certificates. ``` openssl crl2pkcs7 -nocrl -certfile ./certbot/chain.pem | openssl pkcs7 -print_certs -noout subject=C = US, O = Let's Encrypt, CN = R3 issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 ``` Same with the fullchain.pem: NPM contains two certificates und certbot contains three certificates. Is it possible to create chain files with the complete chain? => chain.pem = intermediate and root certificate => fullchain.pem = intermediate, root and server certificate

kerem commented

2026-02-26 07:32:23 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Jan 30, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions[bot] commented on GitHub (Jan 30, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented

2026-02-26 07:32:23 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Mar 16, 2025):

Issue was closed due to inactivity.

@github-actions[bot] commented on GitHub (Mar 16, 2025): Issue was closed due to inactivity.

kerem referenced this issue

2026-02-26 07:36:01 +03:00

[GH-ISSUE #3899] Unable to log in after upgrading from 2.11.2 to 2.11.3 #2558

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1769

No description provided.

Rows
Columns