[GH-ISSUE #2713] SSL/Let's encrypt not working anymore after update or any other version #1872

New issue

Open

opened 2026-02-26 07:32:49 +03:00 by kerem · 73 comments

kerem commented 2026-02-26 07:32:49 +03:00

Owner

Copy link

Originally created by @greenfishgit23222 on GitHub (Mar 19, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2713

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

Recieved an email from let's encrypt I had to update my ssl certiface. Went into nginx proxy manger, cert renewal, got internal error, saw something about cerbot failure. Saw on this forum a lot of users had similar issues. Tried reverting to older versions but still the same error. Have tried to re-install/delete everything from scratch but ssl cert fails everytime. I'm not adapt at all when it comes to ssl/reverse proxy but so far nginx proxy manager was the only solution working for me a few months ago with reverse proxy. Now i'm at a total loss what to do.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-2" --agree-tos --authenticator webroot --email "admindfdfdf@tutanota.com" --preferred-challenges "dns,http" --domains "phofsddd.duckdns.org"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Nginx Proxy Manager Version

2.9.21
2.9.20
2.9.19

Originally created by @greenfishgit23222 on GitHub (Mar 19, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2713 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** <!-- A clear and concise description of what the bug is. --> Recieved an email from let's encrypt I had to update my ssl certiface. Went into nginx proxy manger, cert renewal, got internal error, saw something about cerbot failure. Saw on this forum a lot of users had similar issues. Tried reverting to older versions but still the same error. Have tried to re-install/delete everything from scratch but ssl cert fails everytime. I'm not adapt at all when it comes to ssl/reverse proxy but so far nginx proxy manager was the only solution working for me a few months ago with reverse proxy. Now i'm at a total loss what to do. Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-2" --agree-tos --authenticator webroot --email "admindfdfdf@tutanota.com" --preferred-challenges "dns,http" --domains "phofsddd.duckdns.org" Saving debug log to /var/log/letsencrypt/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) **Nginx Proxy Manager Version** <!-- What version of Nginx Proxy Manager is reported on the login page? --> 2.9.21 2.9.20 2.9.19

kerem added the

bug

label 2026-02-26 07:32:49 +03:00

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@riddertommie commented on GitHub (Mar 19, 2023):

Same here.

Let me know if i can do/test/provide something.

Working with docker version v2.9.21

<!-- gh-comment-id:1475403686 --> @riddertommie commented on GitHub (Mar 19, 2023): Same here. Let me know if i can do/test/provide something. Working with docker version v2.9.21

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@greenfishgit23222 commented on GitHub (Mar 19, 2023):

Same here.

Let me know if i can do/test/provide something.

Working with docker version v2.9.21

After 5 hours of headache I managed to finally get the ssl up and running again!!!

But after 30-60 days when let's encrypt needs renewal i'm afraid this headache will start again because renew ssl doesnt work for me on any of the versions. I have to delete the entire container+config and start from scratch.

What worked for me and it's something I never used before is you go into the category create ssl-certificates, add dns-challenge (new for me) and choose your dns provider and provide your token. Then add your host and point your ssl to your newly created ssl certificate. This only works for me on 2.9.19.

Steps that worked for me

• Using only version 2.9.19, anything newer doesn't work for me (tried the most recent build an hour ago pr-2672 by jc21)
• SSL Certificates - Add SSL-Certificate -> Add Let's Encrypt Certificate
• Use a DNS challenge (never worked before for me)
• DNS provider+token
• Go back into Proxy hosts, choose your newly added ssl certificate, force ssl, HTTP/2 support rest is optional for your setup.

I used this docker-compose-yml

version: '3'
services:
app:
image: 'jc21/nginx-proxy-manager:github-pr-2411'
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt

<!-- gh-comment-id:1475407088 --> @greenfishgit23222 commented on GitHub (Mar 19, 2023): > Same here. > > Let me know if i can do/test/provide something. > > Working with docker version v2.9.21 After 5 hours of headache I managed to finally get the ssl up and running again!!! But after 30-60 days when let's encrypt needs renewal i'm afraid this headache will start again because renew ssl doesnt work for me on any of the versions. I have to delete the entire container+config and start from scratch. What worked for me and it's something I never used before is you go into the category create ssl-certificates, add dns-challenge (new for me) and choose your dns provider and provide your token. Then add your host and point your ssl to your newly created ssl certificate. This only works for me on 2.9.19. Steps that worked for me * Using only version 2.9.19, anything newer doesn't work for me (tried the most recent build an hour ago pr-2672 by jc21) * SSL Certificates - Add SSL-Certificate -> Add Let's Encrypt Certificate * Use a DNS challenge (never worked before for me) * DNS provider+token * Go back into Proxy hosts, choose your newly added ssl certificate, force ssl, HTTP/2 support rest is optional for your setup. I used this docker-compose-yml version: '3' services: app: image: 'jc21/nginx-proxy-manager:github-pr-2411' restart: unless-stopped ports: - '80:80' - '81:81' - '443:443' volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@jc21 commented on GitHub (Mar 19, 2023):

I can confirm that using 2.9.21 works perfectly fine when requesting a SSL cert using HTTP method just fine, as long as your DNS settings for the domain requesting point directly to NPM.

I can also confirm that manual renewal of this certificate also works fine, as long as that the proxy host for it still exists.

<!-- gh-comment-id:1475414118 --> @jc21 commented on GitHub (Mar 19, 2023): I can confirm that using 2.9.21 works perfectly fine when requesting a SSL cert using HTTP method just fine, as long as your DNS settings for the domain requesting point directly to NPM. I can also confirm that manual renewal of this certificate also works fine, as long as that the proxy host for it still exists.

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@riddertommie commented on GitHub (Mar 20, 2023):

Hi, it's still not working for me.

I'm investigating a bit but can't figure it out, help is appreciated.

I have several certificates running and the existing ones work just fine and follow the same configuration and hardware as the ones that have expired and I can't renew.

But I can't manage to request new ones or redo old ones (i did to many request now so i have to wait until tomorrow i think to check again).

At first I thought it might have to do with pi-hole but my server ignores that and when I turn off pi-hole it doesn't work either. Could it be that the requests are coming through ipv6 and I haven't configured that? I'm using DISABLE_IPV6: 'true'

I just don't understand the necessity of -Use a DNS challenge- I use stator as a provider, is this necessary?

I'm a bit stuck. any help is welcome.

Thanks!

Short update, if i press a still working url within NPM is going fine if i do 'test server reach-ability' i get

Communication with the API failed, is NPM running correctly?

<!-- gh-comment-id:1475995845 --> @riddertommie commented on GitHub (Mar 20, 2023): Hi, it's still not working for me. I'm investigating a bit but can't figure it out, help is appreciated. I have several certificates running and the existing ones work just fine and follow the same configuration and hardware as the ones that have expired and I can't renew. But I can't manage to request new ones or redo old ones (i did to many request now so i have to wait until tomorrow i think to check again). At first I thought it might have to do with pi-hole but my server ignores that and when I turn off pi-hole it doesn't work either. Could it be that the requests are coming through ipv6 and I haven't configured that? I'm using `DISABLE_IPV6: 'true'` I just don't understand the necessity of -Use a DNS challenge- I use stator as a provider, is this necessary? I'm a bit stuck. any help is welcome. Thanks! Short update, if i press a **still working url** within NPM is going fine if i do 'test server reach-ability' i get > Communication with the API failed, is NPM running correctly?

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Mar 20, 2023):

I can confirm that using 2.9.21 works perfectly fine when requesting a SSL cert using HTTP method just fine, as long as your DNS settings for the domain requesting point directly to NPM.

I can also confirm that manual renewal of this certificate also works fine, as long as that the proxy host for it still exists.

Thanks @jc21 - sounds good. Does that mean it should have fixed the issues raised in https://github.com/NginxProxyManager/nginx-proxy-manager/issues/396 too? It's just I'm still seeing those renewal errors on some sites...

03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [Nginx    ] › ℹ  info      Reloading Nginx
03/20/2023 6:29:14 PM
[3/20/2023] [6:29:14 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
03/20/2023 6:29:14 PM
Failed to renew certificate npm-4 with error: Some challenges have failed.
03/20/2023 6:29:14 PM
Failed to renew certificate npm-6 with error: Some challenges have failed.
03/20/2023 6:29:14 PM
All renewals failed. The following certificates could not be renewed:
03/20/2023 6:29:14 PM
  /etc/letsencrypt/live/npm-4/fullchain.pem (failure)
03/20/2023 6:29:14 PM
  /etc/letsencrypt/live/npm-6/fullchain.pem (failure)
03/20/2023 6:29:14 PM
2 renew failure(s), 0 parse failure(s)

<!-- gh-comment-id:1476802378 --> @EDIflyer commented on GitHub (Mar 20, 2023): > I can confirm that using 2.9.21 works perfectly fine when requesting a SSL cert using HTTP method just fine, as long as your DNS settings for the domain requesting point directly to NPM. > > I can also confirm that manual renewal of this certificate also works fine, as long as that the proxy host for it still exists. Thanks @jc21 - sounds good. Does that mean it should have fixed the issues raised in https://github.com/NginxProxyManager/nginx-proxy-manager/issues/396 too? It's just I'm still seeing those renewal errors on some sites... ``` 03/20/2023 6:23:02 PM [3/20/2023] [6:23:02 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... 03/20/2023 6:23:02 PM [3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... 03/20/2023 6:23:02 PM [3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json 03/20/2023 6:23:02 PM [3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 03/20/2023 6:23:02 PM [3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 03/20/2023 6:23:02 PM [3/20/2023] [6:23:02 PM] [Nginx ] › ℹ info Reloading Nginx 03/20/2023 6:29:14 PM [3/20/2023] [6:29:14 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation 03/20/2023 6:29:14 PM Failed to renew certificate npm-4 with error: Some challenges have failed. 03/20/2023 6:29:14 PM Failed to renew certificate npm-6 with error: Some challenges have failed. 03/20/2023 6:29:14 PM All renewals failed. The following certificates could not be renewed: 03/20/2023 6:29:14 PM /etc/letsencrypt/live/npm-4/fullchain.pem (failure) 03/20/2023 6:29:14 PM /etc/letsencrypt/live/npm-6/fullchain.pem (failure) 03/20/2023 6:29:14 PM 2 renew failure(s), 0 parse failure(s) ```

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@renan-infonacci commented on GitHub (Mar 22, 2023):

I'm having the same problem to revalidate the certificate, I already went back to the version mentioned above and I still couldn't validate it.

What I'm not getting is the DNS + Token to place and generate the certificate, where do I find this within Cloudflare?

<!-- gh-comment-id:1479953061 --> @renan-infonacci commented on GitHub (Mar 22, 2023): I'm having the same problem to revalidate the certificate, I already went back to the version mentioned above and I still couldn't validate it. What I'm not getting is the DNS + Token to place and generate the certificate, where do I find this within Cloudflare?

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@themegabyte commented on GitHub (Mar 25, 2023):

@EDIflyer Worth checking /var/log/letsencrypt.log by doing:

less /var/log/letsencrypt/letsencrypt.log

inside the docker container.

<!-- gh-comment-id:1483935399 --> @themegabyte commented on GitHub (Mar 25, 2023): @EDIflyer Worth checking `/var/log/letsencrypt.log` by doing: ```bash less /var/log/letsencrypt/letsencrypt.log ``` inside the docker container.

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Mar 25, 2023):

Thanks @themegabyte - had a look and it seems to have a few attempts that show as pending before it returns an invalid:

2023-03-25 22:23:48,996:INFO:certbot._internal.auth_handler:Challenge failed for domain [mysubdomain.tld]
2023-03-25 22:23:48,996:INFO:certbot._internal.auth_handler:http-01 challenge for [mysubdomain.tld]
2023-03-25 22:23:48,996:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: [mysubdomain.tld]
  Type:   connection
  Detail: 85.159.208.227: Fetching https://[mysubdomain.tld]/.well-known/acme-challenge/bbYQWve03QzcXqE8BT8ATSt-CuvNJ2kiWhFdCv5KjAI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-03-25 22:23:49,004:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-03-25 22:23:49,005:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-03-25 22:23:49,005:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-03-25 22:23:49,005:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/bbYQSve03QzcXqE5BT8ATSt-CuvNJ2kiWhFdCv5KjAI
2023-03-25 22:23:49,006:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-03-25 22:23:49,007:ERROR:certbot._internal.renewal:Failed to renew certificate npm-12 with error: Some challenges have failed.
2023-03-25 22:23:49,016:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 525, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1547, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 387, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

The weird thing is if I delete and recreate it then it seems to work OK, at least until it is due for renewal. I can provide more log file info if helpful (not sure if there are any other more relevant bits I've missed).

UPDATE: From searching open issues I see lots of others with similar problems: https://github.com/NginxProxyManager/nginx-proxy-manager/issues?q=%22The+Certificate+Authority+failed+to+download+the+temporary+challenge+files+created+by+Certbot%22+

In particular #2258 #1625 #2565 seem to confirm an issue with 'force SSL' not letting the LetsEncrypt SSL renewal through on port 80. PR #2038 seems to be a fix but hasn't been merged - @jc21 not sure if you would be able to consider that?

I've now manually gone through each of the 8 proxy hosts (thankfully not as many on this server!) and switched off 'force SSL'. When I tried to renew I got the 'another instance of certbot is already running' error (see #918), despite nothing obviously being in progress. I then ran find / -type f -name ".certbot.lock" -exec rm {} \; and then finally managed to manually renew each certificate via the SSL page on the NPM frontend. So it's great that it has worked for another 3 months, but clearly quite a hassle to have to keep doing it this way and I'd prefer to be able to leave 'force SSL' set to on.

<!-- gh-comment-id:1483937725 --> @EDIflyer commented on GitHub (Mar 25, 2023): Thanks @themegabyte - had a look and it seems to have a few attempts that show as pending before it returns an invalid: ``` 2023-03-25 22:23:48,996:INFO:certbot._internal.auth_handler:Challenge failed for domain [mysubdomain.tld] 2023-03-25 22:23:48,996:INFO:certbot._internal.auth_handler:http-01 challenge for [mysubdomain.tld] 2023-03-25 22:23:48,996:DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: [mysubdomain.tld] Type: connection Detail: 85.159.208.227: Fetching https://[mysubdomain.tld]/.well-known/acme-challenge/bbYQWve03QzcXqE8BT8ATSt-CuvNJ2kiWhFdCv5KjAI: Timeout during connect (likely firewall problem) Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. 2023-03-25 22:23:49,004:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2023-03-25 22:23:49,005:DEBUG:certbot._internal.error_handler:Calling registered functions 2023-03-25 22:23:49,005:INFO:certbot._internal.auth_handler:Cleaning up challenges 2023-03-25 22:23:49,005:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/bbYQSve03QzcXqE5BT8ATSt-CuvNJ2kiWhFdCv5KjAI 2023-03-25 22:23:49,006:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up 2023-03-25 22:23:49,007:ERROR:certbot._internal.renewal:Failed to renew certificate npm-12 with error: Some challenges have failed. 2023-03-25 22:23:49,016:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 525, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1547, in renew_cert renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 387, in renew_cert new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. ``` The weird thing is if I delete and recreate it then it seems to work OK, at least until it is due for renewal. I can provide more log file info if helpful (not sure if there are any other more relevant bits I've missed). UPDATE: From searching open issues I see lots of others with similar problems: https://github.com/NginxProxyManager/nginx-proxy-manager/issues?q=%22The+Certificate+Authority+failed+to+download+the+temporary+challenge+files+created+by+Certbot%22+ In particular #2258 #1625 #2565 seem to confirm an issue with 'force SSL' not letting the LetsEncrypt SSL renewal through on port 80. PR #2038 seems to be a fix but hasn't been merged - @jc21 not sure if you would be able to consider that? I've now manually gone through each of the 8 proxy hosts (thankfully not as many on this server!) and switched off 'force SSL'. When I tried to renew I got the 'another instance of certbot is already running' error (see #918), despite nothing obviously being in progress. I then ran `find / -type f -name ".certbot.lock" -exec rm {} \;` and then finally managed to manually renew each certificate via the SSL page on the NPM frontend. So it's great that it has worked for another 3 months, but clearly quite a hassle to have to keep doing it this way and I'd prefer to be able to leave 'force SSL' set to on.

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@themegabyte commented on GitHub (Mar 25, 2023):

Thank you for posting @EDIflyer. I had the exact same issue, Timeout during connect. I had to disable my hosts to get the auto renew to work. It worked smoothly but manually.

I manually tried to access /.well-known/acme-challenge/, and I saw that it was redirecting towards my drone CI container instead of whatever it was supposed to go to (this could be wrong way to test, however, as certbot doesn't place the files for that long to test I think...).

However, I had another version working on a separate production server and I saw no issues there... I will report back with more data if I have.

<!-- gh-comment-id:1483950751 --> @themegabyte commented on GitHub (Mar 25, 2023): Thank you for posting @EDIflyer. I had the exact same issue, `Timeout during connect`. I had to disable my hosts to get the auto renew to work. It worked smoothly but manually. I manually tried to access `/.well-known/acme-challenge/`, and I saw that it was redirecting towards my drone CI container instead of whatever it was supposed to go to (this could be wrong way to test, however, as certbot doesn't place the files for that long to test I think...). However, I had another version working on a separate production server and I saw no issues there... I will report back with more data if I have.

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Apr 1, 2023):

I may not swear! But FFS, I have this issue.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "mail@domain.com" --preferred-challenges "dns,http" --domains "mail.domain.com"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

I had this with 2.9.19 and still when I pulled 2.10.2

Now I cannot renew any domain anymore!

HELP is very much appreciated and needed!

I tried normal challenge and (new?) dns challenge (but not sure if I did that right since I use a *.domain.com dyn dns with Joker)

It always worked well and I also managed to create around 30 certs succesfully

HELP

Some more logging:

[4/1/2023] [5:41:06 PM] [SSL      ] › ℹ  info      Testing http challenge for mail.domain.com

Uncaught SyntaxError: Unexpected end of JSON input

FROM

bash: line 1:   146 Trace/breakpoint trap   (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js

❯ Starting backend ...

[4/1/2023] [5:41:08 PM] [Global   ] › ℹ  info      Using Sqlite: /data/database.sqlite

[4/1/2023] [5:41:09 PM] [Migrate  ] › ℹ  info      Current database version: none

[4/1/2023] [5:41:09 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized

[4/1/2023] [5:41:09 PM] [Setup    ] › ℹ  info      Logrotate completed.

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6

[4/1/2023] [5:41:09 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized

[4/1/2023] [5:41:09 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized

[4/1/2023] [5:41:09 PM] [Global   ] › ℹ  info      Backend PID 448 listening on port 3000 ...

[4/1/2023] [5:41:09 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation  

Another instance of Certbot is already running.

    at ChildProcess.exithandler (node:child_process:402:12)

    at ChildProcess.emit (node:events:513:28)

    at maybeClose (node:internal/child_process:1100:16)

    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

[4/1/2023] [5:43:54 PM] [SSL      ] › ℹ  info      Revoking Let'sEncrypt certificates for Cert #29: mail.domain.com

[4/1/2023] [5:43:54 PM] [SSL      ] › ℹ  info      Command: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-29/fullchain.pem" --delete-after-revoke ; rm -f '/etc/letsencrypt/credentials/credentials-29' || true

[4/1/2023] [5:43:55 PM] [SSL      ] › ℹ  info      Deleted all files relating to certificate npm-29.

Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/npm-29/fullchain.pem.

[4/1/2023] [5:44:13 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:44:18 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #39: mail.domain.com

[4/1/2023] [5:44:18 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "nginx@domain.com" --preferred-challenges "dns,http" --domains "mail.domain.com" 

[4/1/2023] [5:44:30 PM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/temp/letsencrypt_39.conf

[4/1/2023] [5:44:30 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:44:30 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "nginx@domain.com" --preferred-challenges "dns,http" --domains "mail.domain.com" 

Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

[4/1/2023] [5:45:18 PM] [SSL      ] › ℹ  info      Testing http challenge for mail.domain.com

Uncaught SyntaxError: Unexpected end of JSON input

FROM

bash: line 1:   448 Trace/breakpoint trap   (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js

❯ Starting backend ...

[4/1/2023] [5:45:19 PM] [Global   ] › ℹ  info      Using Sqlite: /data/database.sqlite

[4/1/2023] [5:45:20 PM] [Migrate  ] › ℹ  info      Current database version: none

[4/1/2023] [5:45:20 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized

[4/1/2023] [5:45:20 PM] [Setup    ] › ℹ  info      Logrotate completed.

[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...

[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json

[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4

[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6

[4/1/2023] [5:45:20 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized

[4/1/2023] [5:45:20 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...

[4/1/2023] [5:45:21 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized

[4/1/2023] [5:45:21 PM] [Global   ] › ℹ  info      Backend PID 1242 listening on port 3000 ...

[4/1/2023] [5:46:54 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:46:54 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Joker for Cert #40: mail.domain.com

[4/1/2023] [5:46:54 PM] [SSL      ] › ℹ  info      Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_joker_username = no

dns_joker_password = no

dns_joker_domain = domain.com' > '/etc/letsencrypt/credentials/credentials-40' && chmod 600 '/etc/letsencrypt/credentials/credentials-40' && . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-joker~=1.1.0  && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-40" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-40"

[4/1/2023] [5:46:56 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:46:56 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-40" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-40"

Another instance of Certbot is already running.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-i26wbiq9/log or re-run Certbot with -v for more details.

[4/1/2023] [5:47:07 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:47:07 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Joker for Cert #41: mail.domain.com

[4/1/2023] [5:47:07 PM] [SSL      ] › ℹ  info      Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_joker_username = no

dns_joker_password = no

dns_joker_domain = *.domain.com' > '/etc/letsencrypt/credentials/credentials-41' && chmod 600 '/etc/letsencrypt/credentials/credentials-41' && . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-joker~=1.1.0  && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-41" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-41"

[4/1/2023] [5:47:08 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:47:08 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-41" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-41"

Another instance of Certbot is already running.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-5s6n3w19/log or re-run Certbot with -v for more details.

[4/1/2023] [5:49:19 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation  

Failed to renew certificate npm-30 with error: Some challenges have failed.

Failed to renew certificate npm-31 with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:

  /etc/letsencrypt/live/npm-30/fullchain.pem (failure)

  /etc/letsencrypt/live/npm-31/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:402:12)

    at ChildProcess.emit (node:events:513:28)

    at maybeClose (node:internal/child_process:1100:16)

    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

[4/1/2023] [5:52:45 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:52:50 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #42: mail.domain.com

[4/1/2023] [5:52:50 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-42" --agree-tos --authenticator webroot --email "mail@domain.nl" --preferred-challenges "dns,http" --domains "mail.domain.com" 

[4/1/2023] [5:53:05 PM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/temp/letsencrypt_42.conf

[4/1/2023] [5:53:05 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:53:05 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-42" --agree-tos --authenticator webroot --email "mail@domain.nl" --preferred-challenges "dns,http" --domains "mail.domain.com" 

Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

EDIT:
Any renewal gives me:

Any creation gives me above error...

This is a major issue

<!-- gh-comment-id:1493060920 --> @sanderlv commented on GitHub (Apr 1, 2023): I may not swear! But FFS, I have this issue. Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "mail@domain.com" --preferred-challenges "dns,http" --domains "mail.domain.com" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) I had this with 2.9.19 and still when I pulled 2.10.2 Now I cannot renew any domain anymore! HELP is very much appreciated and needed! I tried normal challenge and (new?) dns challenge (but not sure if I did that right since I use a *.domain.com dyn dns with Joker) It always worked well and I also managed to create around 30 certs succesfully **HELP** Some more logging: ``` [4/1/2023] [5:41:06 PM] [SSL ] › ℹ info Testing http challenge for mail.domain.com Uncaught SyntaxError: Unexpected end of JSON input FROM bash: line 1: 146 Trace/breakpoint trap (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js ❯ Starting backend ... [4/1/2023] [5:41:08 PM] [Global ] › ℹ info Using Sqlite: /data/database.sqlite [4/1/2023] [5:41:09 PM] [Migrate ] › ℹ info Current database version: none [4/1/2023] [5:41:09 PM] [Setup ] › ℹ info Logrotate Timer initialized [4/1/2023] [5:41:09 PM] [Setup ] › ℹ info Logrotate completed. [4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... [4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json [4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 [4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 [4/1/2023] [5:41:09 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized [4/1/2023] [5:41:09 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized [4/1/2023] [5:41:09 PM] [Global ] › ℹ info Backend PID 448 listening on port 3000 ... [4/1/2023] [5:41:09 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Another instance of Certbot is already running. at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [4/1/2023] [5:43:54 PM] [SSL ] › ℹ info Revoking Let'sEncrypt certificates for Cert #29: mail.domain.com [4/1/2023] [5:43:54 PM] [SSL ] › ℹ info Command: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-29/fullchain.pem" --delete-after-revoke ; rm -f '/etc/letsencrypt/credentials/credentials-29' || true [4/1/2023] [5:43:55 PM] [SSL ] › ℹ info Deleted all files relating to certificate npm-29. Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/npm-29/fullchain.pem. [4/1/2023] [5:44:13 PM] [Nginx ] › ℹ info Reloading Nginx [4/1/2023] [5:44:18 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #39: mail.domain.com [4/1/2023] [5:44:18 PM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "nginx@domain.com" --preferred-challenges "dns,http" --domains "mail.domain.com" [4/1/2023] [5:44:30 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/temp/letsencrypt_39.conf [4/1/2023] [5:44:30 PM] [Nginx ] › ℹ info Reloading Nginx [4/1/2023] [5:44:30 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "nginx@domain.com" --preferred-challenges "dns,http" --domains "mail.domain.com" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. [4/1/2023] [5:45:18 PM] [SSL ] › ℹ info Testing http challenge for mail.domain.com Uncaught SyntaxError: Unexpected end of JSON input FROM bash: line 1: 448 Trace/breakpoint trap (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js ❯ Starting backend ... [4/1/2023] [5:45:19 PM] [Global ] › ℹ info Using Sqlite: /data/database.sqlite [4/1/2023] [5:45:20 PM] [Migrate ] › ℹ info Current database version: none [4/1/2023] [5:45:20 PM] [Setup ] › ℹ info Logrotate Timer initialized [4/1/2023] [5:45:20 PM] [Setup ] › ℹ info Logrotate completed. [4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... [4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json [4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 [4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 [4/1/2023] [5:45:20 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized [4/1/2023] [5:45:20 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [4/1/2023] [5:45:21 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized [4/1/2023] [5:45:21 PM] [Global ] › ℹ info Backend PID 1242 listening on port 3000 ... [4/1/2023] [5:46:54 PM] [Nginx ] › ℹ info Reloading Nginx [4/1/2023] [5:46:54 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates via Joker for Cert #40: mail.domain.com [4/1/2023] [5:46:54 PM] [SSL ] › ℹ info Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_joker_username = no dns_joker_password = no dns_joker_domain = domain.com' > '/etc/letsencrypt/credentials/credentials-40' && chmod 600 '/etc/letsencrypt/credentials/credentials-40' && . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-joker~=1.1.0 && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-40" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-40" [4/1/2023] [5:46:56 PM] [Nginx ] › ℹ info Reloading Nginx [4/1/2023] [5:46:56 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-40" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-40" Another instance of Certbot is already running. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-i26wbiq9/log or re-run Certbot with -v for more details. [4/1/2023] [5:47:07 PM] [Nginx ] › ℹ info Reloading Nginx [4/1/2023] [5:47:07 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates via Joker for Cert #41: mail.domain.com [4/1/2023] [5:47:07 PM] [SSL ] › ℹ info Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_joker_username = no dns_joker_password = no dns_joker_domain = *.domain.com' > '/etc/letsencrypt/credentials/credentials-41' && chmod 600 '/etc/letsencrypt/credentials/credentials-41' && . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-joker~=1.1.0 && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-41" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-41" [4/1/2023] [5:47:08 PM] [Nginx ] › ℹ info Reloading Nginx [4/1/2023] [5:47:08 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-41" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-41" Another instance of Certbot is already running. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-5s6n3w19/log or re-run Certbot with -v for more details. [4/1/2023] [5:49:19 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-30 with error: Some challenges have failed. Failed to renew certificate npm-31 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-30/fullchain.pem (failure) /etc/letsencrypt/live/npm-31/fullchain.pem (failure) 2 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [4/1/2023] [5:52:45 PM] [Nginx ] › ℹ info Reloading Nginx [4/1/2023] [5:52:50 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #42: mail.domain.com [4/1/2023] [5:52:50 PM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-42" --agree-tos --authenticator webroot --email "mail@domain.nl" --preferred-challenges "dns,http" --domains "mail.domain.com" [4/1/2023] [5:53:05 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/temp/letsencrypt_42.conf [4/1/2023] [5:53:05 PM] [Nginx ] › ℹ info Reloading Nginx [4/1/2023] [5:53:05 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-42" --agree-tos --authenticator webroot --email "mail@domain.nl" --preferred-challenges "dns,http" --domains "mail.domain.com" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. ``` EDIT: Any renewal gives me:  Any creation gives me above error... **This is a major issue**

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Apr 1, 2023):

@sanderlv see my post above - the workaround that did the trick for me was running the command within the container to kill off duplicate certbot instances/locks and then switching off force SSL before trying to renew the certificate. I see @jc21 has made quite a few commits recently so I'm hoping this SSL cert renewal might get fixed soon 🤞

<!-- gh-comment-id:1493067904 --> @EDIflyer commented on GitHub (Apr 1, 2023): @sanderlv see my post above - the workaround that did the trick for me was running the command within the container to kill off duplicate certbot instances/locks and then switching off force SSL before trying to renew the certificate. I see @jc21 has made quite a few commits recently so I'm hoping this SSL cert renewal might get fixed soon 🤞

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Apr 1, 2023):

I have the certificate not connected to a proxy host, just trying to create it...?

Is it also fine to reboot the container or is it still having duplicate instances?

<!-- gh-comment-id:1493068435 --> @sanderlv commented on GitHub (Apr 1, 2023): I have the certificate not connected to a proxy host, just trying to create it...? Is it also fine to reboot the container or is it still having duplicate instances?

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Apr 1, 2023):

I tried your command:

But no luck either...

But what's even more weird is that the console gives:

And the interface gives:

What's not ok here?

<!-- gh-comment-id:1493069472 --> @sanderlv commented on GitHub (Apr 1, 2023): I tried your command:  But no luck either...  But what's even more weird is that the console gives:  And the interface gives:  What's not ok here?

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Apr 1, 2023):

Hmm, getting outside what I understand now I'm afraid! I'd have thought definitely worth a container reboot attempt given that difference in version info. I tend to just automatically make the SSL cert when creating the proxy host.

<!-- gh-comment-id:1493069806 --> @EDIflyer commented on GitHub (Apr 1, 2023): Hmm, getting outside what I understand now I'm afraid! I'd have thought definitely worth a container reboot attempt given that difference in version info. I tend to just automatically make the SSL cert when creating the proxy host.

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Apr 1, 2023):

Rebooting does not help in getting the right version "in the container"...

<!-- gh-comment-id:1493071406 --> @sanderlv commented on GitHub (Apr 1, 2023): Rebooting does not help in getting the right version "in the container"...

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Apr 1, 2023):

I tend to just automatically make the SSL cert when creating the proxy host.

Thats does not work either... So frustrating... all my domains will soon expire...

<!-- gh-comment-id:1493072719 --> @sanderlv commented on GitHub (Apr 1, 2023): > I tend to just automatically make the SSL cert when creating the proxy host. Thats does not work either... So frustrating... all my domains will soon expire... 

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Apr 1, 2023):

Created a wildcard DNS via joker, that works ....

<!-- gh-comment-id:1493074730 --> @sanderlv commented on GitHub (Apr 1, 2023): Created a wildcard DNS via joker, that works ....

kerem commented 2026-02-26 07:32:50 +03:00

Author

Owner

Copy link

@andzejsp commented on GitHub (Apr 5, 2023):

fresh install, 0 domains, add one, tried to add cert, fails as above...

Good thing i still havent updated my stack from 2022 last year, it works there but now on fresh install..

And i thought i messed up something.

Somebody has to look into this. Im not the only one.

If anyone has any solution please @ me.

<!-- gh-comment-id:1497975245 --> @andzejsp commented on GitHub (Apr 5, 2023): fresh install, 0 domains, add one, tried to add cert, fails as above... Good thing i still havent updated my stack from 2022 last year, it works there but now on fresh install.. And i thought i messed up something. Somebody has to look into this. Im not the only one. If anyone has any solution please @ me.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@greenfishgit22 commented on GitHub (Apr 7, 2023):

Jesus christ.... same crap again... I had to renew ssl certificate and voila "internal error".

<!-- gh-comment-id:1500494394 --> @greenfishgit22 commented on GitHub (Apr 7, 2023): Jesus christ.... same crap again... I had to renew ssl certificate and voila "internal error".

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Apr 7, 2023):

I know, it s@cks. But luckily the dns one via joker does work.

<!-- gh-comment-id:1500545006 --> @sanderlv commented on GitHub (Apr 7, 2023): I know, it s@cks. But luckily the dns one via joker does work.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Apr 7, 2023):

I know, it s@cks. But luckily the dns one via joker does work.

Do you mean via DNS challenge? - AIUI that's only an option if your DNS provider is one of the ones listed though? (mine isn't)

<!-- gh-comment-id:1500566362 --> @EDIflyer commented on GitHub (Apr 7, 2023): > I know, it s@cks. But luckily the dns one via joker does work. Do you mean via DNS challenge? - AIUI that's only an option if your DNS provider is one of the ones listed though? (mine isn't)

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Apr 7, 2023):

Yes and yes and that's a pity...

<!-- gh-comment-id:1500569167 --> @sanderlv commented on GitHub (Apr 7, 2023): Yes and yes and that's a pity...

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@greenfishgit22 commented on GitHub (Apr 7, 2023):

Yeah thanks but i'm using duckdns and noip, not willing to change DNS provider because of this issue.

I really like nginx proxy manager but this happens way to frequently in my opinion.

<!-- gh-comment-id:1500570931 --> @greenfishgit22 commented on GitHub (Apr 7, 2023): Yeah thanks but i'm using duckdns and noip, not willing to change DNS provider because of this issue. I really like nginx proxy manager but this happens way to frequently in my opinion.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Apr 7, 2023):

I agree. I am just lucky at this moment...

<!-- gh-comment-id:1500571949 --> @sanderlv commented on GitHub (Apr 7, 2023): I agree. I am just lucky at this moment...

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@smailpouri commented on GitHub (Apr 28, 2023):

same issue on Docker 4.18 macOS ventura 13.3.1 nginx 2.9.19 and 2.9.20(21,22) and 2.10.2.

Not sure what is going, been looking into Traefik

<!-- gh-comment-id:1526973376 --> @smailpouri commented on GitHub (Apr 28, 2023): same issue on Docker 4.18 macOS ventura 13.3.1 nginx 2.9.19 and 2.9.20(21,22) and 2.10.2. Not sure what is going, been looking into Traefik

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@plexecutor commented on GitHub (May 2, 2023):

I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.

<!-- gh-comment-id:1531438053 --> @plexecutor commented on GitHub (May 2, 2023): I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@andzejsp commented on GitHub (May 2, 2023):

I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.

But this don't help people who don't have ducks.

<!-- gh-comment-id:1531441816 --> @andzejsp commented on GitHub (May 2, 2023): > I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now. But this don't help people who don't have ducks.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@plexecutor commented on GitHub (May 2, 2023):

I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.

But this don't help people who don't have ducks.

True, but there is a very large list of DNS provider plugins support by NPM. If yours is supported, I would try that method.

<!-- gh-comment-id:1531444655 --> @plexecutor commented on GitHub (May 2, 2023): > > I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now. > > But this don't help people who don't have ducks. True, but there is a very large list of DNS provider plugins support by NPM. If yours is supported, I would try that method.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@erzwo commented on GitHub (May 10, 2023):

same problem for me. I can't renew or create a new certificate. probably related to this

<!-- gh-comment-id:1542620608 --> @erzwo commented on GitHub (May 10, 2023): same problem for me. I can't renew or create a new certificate. probably related to [this](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/918)

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@rafalohaki commented on GitHub (May 10, 2023):

same

<!-- gh-comment-id:1542745104 --> @rafalohaki commented on GitHub (May 10, 2023): same

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@f2ka07 commented on GitHub (May 28, 2023):

Here is a guide on how to successfully install Lets Encrypt on Nginx Proxy Manager to secure your docker containers.

<!-- gh-comment-id:1565834235 --> @f2ka07 commented on GitHub (May 28, 2023): Here is a guide on how to successfully install [Lets Encrypt on Nginx Proxy Manager](https://www.youtube.com/watch?v=31D9t5W_Aug) to secure your docker containers.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@ajy2 commented on GitHub (May 31, 2023):

still same here

@f2ka07 in your video, it has no errors like above

<!-- gh-comment-id:1570193160 --> @ajy2 commented on GitHub (May 31, 2023): still same here @f2ka07 in your video, it has no errors like above

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@greenfishgit22 commented on GitHub (May 31, 2023):

This app is dead. So many ssl issues that comes out of nowhere. I went with caddy april 7th and never had any issues.

<!-- gh-comment-id:1570195269 --> @greenfishgit22 commented on GitHub (May 31, 2023): This app is dead. So many ssl issues that comes out of nowhere. I went with caddy april 7th and never had any issues.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@andzejsp commented on GitHub (May 31, 2023):

This app is dead. So many ssl issues that comes out of nowhere. I went with caddy april 7th and never had any issues.

Can you pm me the caddy solution? I need auto renewval

<!-- gh-comment-id:1570353297 --> @andzejsp commented on GitHub (May 31, 2023): > This app is dead. So many ssl issues that comes out of nowhere. I went with caddy april 7th and never had any issues. Can you pm me the caddy solution? I need auto renewval

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@MikeTraceur commented on GitHub (Jul 18, 2023):

Is there any update to this bug? I am facing the same problem with the latest release? Any downgraded Version where this bug does not appear?

<!-- gh-comment-id:1640598558 --> @MikeTraceur commented on GitHub (Jul 18, 2023): Is there any update to this bug? I am facing the same problem with the latest release? Any downgraded Version where this bug does not appear?

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Jul 18, 2023):

Sadly not that I've found, I just use the workaround of switching off SSL, renewing then re-enabling. It does get a bit annoying having to do it for 16 sites every few months though!

<!-- gh-comment-id:1640611935 --> @EDIflyer commented on GitHub (Jul 18, 2023): Sadly not that I've found, I just use the workaround of switching off SSL, renewing then re-enabling. It does get a bit annoying having to do it for 16 sites every few months though!

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@MikeTraceur commented on GitHub (Jul 19, 2023):

I was currently trying the workaround because my certificates should expire july 25. But I decided to look them up before. Surprisingly it renewed them. So what is different to the state I had until yesterday? I moved from latest to 2.9.21 and under volumes I added

• "/etc/timezone:/etc/timezone:ro"
• "/etc/localtime:/etc/localtime:ro"

Since the docker container was in a different timezone than the docker host. Maybe this helps finding a solution.

<!-- gh-comment-id:1641680910 --> @MikeTraceur commented on GitHub (Jul 19, 2023): I was currently trying the workaround because my certificates should expire july 25. But I decided to look them up before. Surprisingly it renewed them. So what is different to the state I had until yesterday? I moved from latest to 2.9.21 and under volumes I added - "/etc/timezone:/etc/timezone:ro" - "/etc/localtime:/etc/localtime:ro" Since the docker container was in a different timezone than the docker host. Maybe this helps finding a solution.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@andzejsp commented on GitHub (Jul 19, 2023):

does it work on latest tho?

<!-- gh-comment-id:1641895663 --> @andzejsp commented on GitHub (Jul 19, 2023): does it work on latest tho?

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@rightsaidfred99 commented on GitHub (Jul 23, 2023):

I gave up on this bug. best to freeze nginx at 2.9.14 and have been doing this for a year and auto ssl renewal works perfectly. cons, but it's unpatched and a security risk so keep it away from the internet.

<!-- gh-comment-id:1646728404 --> @rightsaidfred99 commented on GitHub (Jul 23, 2023): I gave up on this bug. best to freeze nginx at 2.9.14 and have been doing this for a year and auto ssl renewal works perfectly. cons, but it's unpatched and a security risk so keep it away from the internet.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@Watever44 commented on GitHub (Aug 8, 2023):

I am having the same issue. I didn't realise the problem a few weeks ago when I had to renew manually. After unraid update to 6.12.
Now I am trying to get a new certificate and I can't make it work. No idea how to fix it.

Does I really need to go back ? in the docker container or unraid os ?

<!-- gh-comment-id:1670070402 --> @Watever44 commented on GitHub (Aug 8, 2023): I am having the same issue. I didn't realise the problem a few weeks ago when I had to renew manually. After unraid update to 6.12. Now I am trying to get a new certificate and I can't make it work. No idea how to fix it. Does I really need to go back ? in the docker container or unraid os ?

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@rightsaidfred99 commented on GitHub (Aug 8, 2023):

Yes, it just works perfectly if you go back.

<!-- gh-comment-id:1670308005 --> @rightsaidfred99 commented on GitHub (Aug 8, 2023): Yes, it just works perfectly if you go back.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@Watever44 commented on GitHub (Aug 9, 2023):

I will try to go back. I didn't fix the certificate creation or renew, but it's weird that my reverse proxy is "working" today, without changing anything since yesterday, without the proper SSL, using the wildcard certificate probably.
May be cause when I tried yesterday, cloudflare didn't publish it and it took longer than usually ? many hours ?
Also, I taught the wildcard certificate would only work locally... ?

Theses are the only certificate I have. As you can see, the wildcard use cloudflare, not the others but all are working.

<!-- gh-comment-id:1671585218 --> @Watever44 commented on GitHub (Aug 9, 2023): I will try to go back. I didn't fix the certificate creation or renew, but it's weird that my reverse proxy is "working" today, without changing anything since yesterday, without the proper SSL, using the wildcard certificate probably. May be cause when I tried yesterday, cloudflare didn't publish it and it took longer than usually ? many hours ? Also, I taught the wildcard certificate would only work locally... ?  Theses are the only certificate I have. As you can see, the wildcard use cloudflare, not the others but all are working. 

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@Matze177 commented on GitHub (Sep 5, 2023):

Sadly not that I've found, I just use the workaround of switching off SSL, renewing then re-enabling. It does get a bit annoying having to do it for 16 sites every few months though!

Thanks for the tip, that worked for me too. But why?

<!-- gh-comment-id:1706491169 --> @Matze177 commented on GitHub (Sep 5, 2023): > Sadly not that I've found, I just use the workaround of switching off SSL, renewing then re-enabling. It does get a bit annoying having to do it for 16 sites every few months though! Thanks for the tip, that worked for me too. But why?

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Sep 5, 2023):

Sadly not that I've found, I just use the workaround of switching off SSL, renewing then re-enabling. It does get a bit annoying having to do it for 16 sites every few months though!

Thanks for the tip, that worked for me too. But why?

See my PR - https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121 - it's to do with how the Let's Encrypt ACME check is being dealt with.

<!-- gh-comment-id:1706503054 --> @EDIflyer commented on GitHub (Sep 5, 2023): > > Sadly not that I've found, I just use the workaround of switching off SSL, renewing then re-enabling. It does get a bit annoying having to do it for 16 sites every few months though! > > Thanks for the tip, that worked for me too. But why? See my PR - https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121 - it's to do with how the Let's Encrypt ACME check is being dealt with.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@Collin7 commented on GitHub (Sep 20, 2023):

Also having an issue with renew on latest and older versions

Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation
Traceback (most recent call last):
File "/usr/bin/certbot", line 5, in
from certbot.main import main
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 28, in
from certbot import crypto_util
File "/opt/certbot/lib/python3.7/site-packages/certbot/crypto_util.py", line 42, in
from certbot import interfaces
File "/opt/certbot/lib/python3.7/site-packages/certbot/interfaces.py", line 21, in
from acme.client import ClientBase
ImportError: cannot import name 'ClientBase' from 'acme.client' (/opt/certbot/lib/python3.7/site-packages/acme/client.py)
at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

<!-- gh-comment-id:1728424659 --> @Collin7 commented on GitHub (Sep 20, 2023): Also having an issue with renew on latest and older versions Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Traceback (most recent call last): File "/usr/bin/certbot", line 5, in <module> from certbot.main import main File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 6, in <module> from certbot._internal import main as internal_main File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 28, in <module> from certbot import crypto_util File "/opt/certbot/lib/python3.7/site-packages/certbot/crypto_util.py", line 42, in <module> from certbot import interfaces File "/opt/certbot/lib/python3.7/site-packages/certbot/interfaces.py", line 21, in <module> from acme.client import ClientBase ImportError: cannot import name 'ClientBase' from 'acme.client' (/opt/certbot/lib/python3.7/site-packages/acme/client.py) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@oswaldo-be commented on GitHub (Oct 8, 2023):

I also got the same problem and deactivating Force SSL and renewing works.
Then I just activate force SSL again.
But this cannot stay unrepaired

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
[10/8/2023] [2:01:59 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[10/8/2023] [2:06:37 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation
Failed to renew certificate npm-1 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

v2.10.4

<!-- gh-comment-id:1751926662 --> @oswaldo-be commented on GitHub (Oct 8, 2023): I also got the same problem and deactivating Force SSL and renewing works. Then I just activate force SSL again. But this cannot stay unrepaired at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [10/8/2023] [2:01:59 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [10/8/2023] [2:06:37 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) v2.10.4

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Oct 8, 2023):

@oswaldo-be did my PR above work for you? It still seems to be doing the trick on my system.

<!-- gh-comment-id:1751943737 --> @EDIflyer commented on GitHub (Oct 8, 2023): @oswaldo-be did my PR above work for you? It still seems to be doing the trick on my system.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@oswaldo-be commented on GitHub (Oct 8, 2023):

jupp, deactivating, renewing und activating works.
But this here won't
with "docker exec "Containername" find / -type f -name ".certbot.lock""
I get
find: '/proc/tty/driver': Permission denied
find: '/sys/kernel/debug': Permission denied

<!-- gh-comment-id:1751957018 --> @oswaldo-be commented on GitHub (Oct 8, 2023): jupp, deactivating, renewing und activating works. But this here won't with "docker exec "Containername" find / -type f -name ".certbot.lock"" I get find: '/proc/tty/driver': Permission denied find: '/sys/kernel/debug': Permission denied

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Oct 8, 2023):

Interesting, I've normally run it as commands directly within the container on Portainer and it worked OK, I'm guessing it must be giving higher permissions.

There's a link above to my PR that fixes the underlying issue that seems to work so might be worth a shot too?

<!-- gh-comment-id:1751967069 --> @EDIflyer commented on GitHub (Oct 8, 2023): Interesting, I've normally run it as commands directly within the container on Portainer and it worked OK, I'm guessing it must be giving higher permissions. There's a link above to my PR that fixes the underlying issue that seems to work so might be worth a shot too?

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@jdelgadocr commented on GitHub (Oct 9, 2023):

I was also getting the "import ClientBase" error with namecheap DNS. Strangely it worked 2 hours earlier with namecheap and another provider, several domains. Fresh, latest NPM install. I got it fixed by running (in a container-attached console):
pip install certbot
pip install acme
pip install certbot-dns-namecheap

That was all and then it worked as before/expected.

<!-- gh-comment-id:1752552697 --> @jdelgadocr commented on GitHub (Oct 9, 2023): I was also getting the "import ClientBase" error with namecheap DNS. Strangely it worked 2 hours earlier with namecheap and another provider, several domains. Fresh, latest NPM install. I got it fixed by running (in a container-attached console): pip install certbot pip install acme pip install certbot-dns-namecheap That was all and then it worked as before/expected.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@dezza commented on GitHub (Dec 29, 2023):

I just deleted the SSL certificate entry and redid it, seems like its sticking to an old format.

<!-- gh-comment-id:1871841901 --> @dezza commented on GitHub (Dec 29, 2023): I just deleted the SSL certificate entry and redid it, seems like its sticking to an old format.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@andzejsp commented on GitHub (Dec 29, 2023):

guys, stop wasting time on nginx, its garbage. Use caddy instead. Ive moved to caddy and i can forget about certs, because caddy does them automagically. No more "your certs are expiring in few days, please renew" bs. Caddy is lw, Easy to use with a single file where you define every service you have, and thats it. The configuration is easy to understand. Yes, caddy does not have fancy UI, but you just need to set up a service once and forget about it.

<!-- gh-comment-id:1871844848 --> @andzejsp commented on GitHub (Dec 29, 2023): guys, stop wasting time on nginx, its garbage. Use caddy instead. Ive moved to caddy and i can forget about certs, because caddy does them automagically. No more "your certs are expiring in few days, please renew" bs. Caddy is lw, Easy to use with a single file where you define every service you have, and thats it. The configuration is easy to understand. Yes, caddy does not have fancy UI, but you just need to set up a service once and forget about it.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@sanderlv commented on GitHub (Dec 29, 2023):

"Caddy" gives me a lot of options on google... what are you referring to? A docker container? Other? Is it free, paid, maintained?

Questions...

<!-- gh-comment-id:1871846501 --> @sanderlv commented on GitHub (Dec 29, 2023): "Caddy" gives me a lot of options on google... what are you referring to? A docker container? Other? Is it free, paid, maintained? Questions...

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@rightsaidfred99 commented on GitHub (Dec 29, 2023):

caddy is terrible for newbies. whoss got 4 weeks to read an encyclopedia on how to write a caddyfile

<!-- gh-comment-id:1871848191 --> @rightsaidfred99 commented on GitHub (Dec 29, 2023): caddy is terrible for newbies. whoss got 4 weeks to read an encyclopedia on how to write a caddyfile

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@andzejsp commented on GitHub (Dec 29, 2023):

"Caddy" gives me a lot of options on google... what are you referring to? A docker container? Other? Is it free, paid, maintained?

Questions...

https://github.com/caddyserver/caddy free, open source, maintained. I run it in docker container

<!-- gh-comment-id:1871848217 --> @andzejsp commented on GitHub (Dec 29, 2023): > "Caddy" gives me a lot of options on google... what are you referring to? A docker container? Other? Is it free, paid, maintained? > > Questions... https://github.com/caddyserver/caddy free, open source, maintained. I run it in docker container

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@andzejsp commented on GitHub (Dec 29, 2023):

caddy is terrible for newbies. whoss got 4 weeks to read an encyclopedia on how to write a caddyfile

brugh, im a noob, if i could do it so can other noobs. NGINX is no easier, it has more confusing syntax for configuration than caddy. If you need help you can pm me

<!-- gh-comment-id:1871849008 --> @andzejsp commented on GitHub (Dec 29, 2023): > caddy is terrible for newbies. whoss got 4 weeks to read an encyclopedia on how to write a caddyfile brugh, im a noob, if i could do it so can other noobs. NGINX is no easier, it has more confusing syntax for configuration than caddy. If you need help you can pm me

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@rightsaidfred99 commented on GitHub (Dec 29, 2023):

caddy is terrible for newbies. whoss got 4 weeks to read an encyclopedia on how to write a caddyfile

brugh, im a noob, if i could do it so can other noobs. NGINX is no easier, it has more confusing syntax for configuration than caddy. If you need help you can pm me

Fair enough, I'll give it a go. nginx proxy manager is likely to be insecure nowadays anyway as there are so many issues open and slow updates to resolve issues for the plague of ssl issues.

you're right, it might be worth it.

<!-- gh-comment-id:1871850162 --> @rightsaidfred99 commented on GitHub (Dec 29, 2023): > > caddy is terrible for newbies. whoss got 4 weeks to read an encyclopedia on how to write a caddyfile > > brugh, im a noob, if i could do it so can other noobs. NGINX is no easier, it has more confusing syntax for configuration than caddy. If you need help you can pm me Fair enough, I'll give it a go. nginx proxy manager is likely to be insecure nowadays anyway as there are so many issues open and slow updates to resolve issues for the plague of ssl issues. you're right, it might be worth it.

kerem commented 2026-02-26 07:32:51 +03:00

Author

Owner

Copy link

@dezza commented on GitHub (Dec 29, 2023):

Have you guys noticed you're on github in the issue section and not reddit?

<!-- gh-comment-id:1871866949 --> @dezza commented on GitHub (Dec 29, 2023): Have you guys noticed you're on github in the issue section and not reddit?

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@rightsaidfred99 commented on GitHub (Dec 29, 2023):

yeah, and the resolution is not use proxy manager anymore as discussed

<!-- gh-comment-id:1871874084 --> @rightsaidfred99 commented on GitHub (Dec 29, 2023): yeah, and the resolution is not use proxy manager anymore as discussed

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@dezza commented on GitHub (Dec 29, 2023):

yeah, and the resolution is not use proxy manager anymore as discussed

No maybe the solution is to go buy some webhosting at godaddy.com if you can't appreciate the time others use to concern themselves with your issues and provide support and just resort to flinging shit like you're on reddit.

<!-- gh-comment-id:1871875893 --> @dezza commented on GitHub (Dec 29, 2023): > yeah, and the resolution is not use proxy manager anymore as discussed No maybe the solution is to go buy some webhosting at godaddy.com if you can't appreciate the time others use to concern themselves with your issues and provide support and just resort to flinging shit like you're on reddit.

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@Heggeg commented on GitHub (Apr 18, 2024):

I now seem to have the same problem. How do I fix it?

<!-- gh-comment-id:2063771161 --> @Heggeg commented on GitHub (Apr 18, 2024): I now seem to have the same problem. How do I fix it?

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@dezza commented on GitHub (Apr 18, 2024):

I figured out that you need to disable "Force SSL" from the webui if you want the automatic renewal to work as it seems to request over http.

Try that if you have it.

<!-- gh-comment-id:2064277737 --> @dezza commented on GitHub (Apr 18, 2024): I figured out that you need to disable "Force SSL" from the webui if you want the automatic renewal to work as it seems to request over http. Try that if you have it.

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Apr 18, 2024):

@Heggeg feel free to try my PR at https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121 - it amends the https redirect to allow the Acme check through on http as @dezza says.

<!-- gh-comment-id:2064325763 --> @EDIflyer commented on GitHub (Apr 18, 2024): @Heggeg feel free to try my PR at https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121 - it amends the https redirect to allow the Acme check through on http as @dezza says.

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@mikkel75 commented on GitHub (Aug 16, 2024):

I also got the same problem and deactivating Force SSL and renewing works. Then I just activate force SSL again. But this cannot stay unrepaired

at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [10/8/2023] [2:01:59 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [10/8/2023] [2:06:37 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)

v2.10.4

Where exactly did you do the "Force-SSL" trick/workaround?

Thanks

<!-- gh-comment-id:2293409125 --> @mikkel75 commented on GitHub (Aug 16, 2024): > I also got the same problem and deactivating Force SSL and renewing works. Then I just activate force SSL again. But this cannot stay unrepaired > > at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [10/8/2023] [2:01:59 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [10/8/2023] [2:06:37 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) > > v2.10.4 Where exactly did you do the "Force-SSL" trick/workaround? Thanks

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@dezza commented on GitHub (Aug 16, 2024):

@mikkel75 inverse, you need to keep Force SSL off for it to work this is the issue..

I hope @EDIflyer 's PR gets merged soon, fingers crossed..

<!-- gh-comment-id:2293451771 --> @dezza commented on GitHub (Aug 16, 2024): @mikkel75 inverse, you need to keep Force SSL off for it to work this is the issue.. I hope @EDIflyer 's PR gets merged soon, fingers crossed..

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@mikkel75 commented on GitHub (Aug 16, 2024):

Hi,

The certbot command fails for me - any suggestions?

[8/16/2024] [2:59:05 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[8/16/2024] [2:59:16 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #1: vichmand.duckdns.org
[8/16/2024] [2:59:16 PM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[8/16/2024] [2:59:32 PM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Failed to renew certificate npm-1 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

I'm guessing the /tmp/letsencrypt-log/letsencrypt.log is inside a container or something - I can't see it from normal terminal.

Thanks.

<!-- gh-comment-id:2293472039 --> @mikkel75 commented on GitHub (Aug 16, 2024): Hi, The certbot command fails for me - any suggestions? ``` [8/16/2024] [2:59:05 PM] [Nginx ] › ℹ info Reloading Nginx [8/16/2024] [2:59:16 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #1: vichmand.duckdns.org [8/16/2024] [2:59:16 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation [8/16/2024] [2:59:32 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Failed to renew certificate npm-1 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. ``` I'm guessing the /tmp/letsencrypt-log/letsencrypt.log is inside a container or something - I can't see it from normal terminal. Thanks.

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@cnsxxx09 commented on GitHub (Nov 24, 2024):

For those asking how to remove the Force SSL off, it also took me a while to find it.

Under Add-Ons --> Nginx Proxy Manager
there is a link to the right 'Open Web UI' which you need to click.

Then click on Hosts-->Proxy Hosts ... then the 3 dots and Edit ... then SSL Tab

Then go back to the Dashboard, SSL Certificates, the 3 dots and then Renew Now.

Thanks to all the previous posts here - I iust did this indeed and it worked.
:-)

<!-- gh-comment-id:2495892931 --> @cnsxxx09 commented on GitHub (Nov 24, 2024): For those asking how to remove the Force SSL off, it also took me a while to find it. Under Add-Ons --> Nginx Proxy Manager there is a link to the right 'Open Web UI' which you need to click. Then click on Hosts-->Proxy Hosts ... then the 3 dots and Edit ... then SSL Tab Then go back to the Dashboard, SSL Certificates, the 3 dots and then Renew Now. Thanks to all the previous posts here - I iust did this indeed and it worked. :-)

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Nov 24, 2024):

Glad that worked for you @cnsxxx09 - if you don't want the hassle of switching force SSL off and just letting it autorenew then you can use the docker version from my PR at https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121

<!-- gh-comment-id:2495967467 --> @EDIflyer commented on GitHub (Nov 24, 2024): Glad that worked for you @cnsxxx09 - if you don't want the hassle of switching force SSL off and just letting it autorenew then you can use the docker version from my PR at https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@hulkhaugen commented on GitHub (Nov 26, 2024):

For those asking how to remove the Force SSL off, it also took me a while to find it.

Under Add-Ons --> Nginx Proxy Manager there is a link to the right 'Open Web UI' which you need to click.

Then click on Hosts-->Proxy Hosts ... then the 3 dots and Edit ... then SSL Tab

Then go back to the Dashboard, SSL Certificates, the 3 dots and then Renew Now.

Thanks to all the previous posts here - I iust did this indeed and it worked. :-)

You're obviously using the HA add-on, same as me. Did it work for you? I just stumbled into this issue myself after not having it before. I currently have 12 proxy hosts and 1 redirection host. I disabled all but the main one, and disabled force SSL for that one. Still no joy.

EDIT: I only use one certificate for all the proxy hosts, and always have.

FINAL EDIT: Yay, i finally figured it out after spending a whole day on this, just about to give up. I had to log into Cloudflare as I use that for DNS Records. Had to change the Proxy status for my A-record from Proxied to DNS only, manually renew, then change it back to Proxied.

[16:42:49] INFO: Starting NGinx...
s6-rc: info: service legacy-services successfully started
[11/26/2024] [4:42:49 PM] [Global   ] › ℹ  info      Using Sqlite: /config/database.sqlite
[11/26/2024] [4:42:51 PM] [Migrate  ] › ℹ  info      Current database version: none
[11/26/2024] [4:42:51 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[11/26/2024] [4:42:51 PM] [Setup    ] › ℹ  info      Logrotate completed.
[11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[11/26/2024] [4:42:51 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[11/26/2024] [4:42:51 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[11/26/2024] [4:42:51 PM] [Global   ] › ℹ  info      Backend PID 157 listening on port 3000 ...
[11/26/2024] [4:48:01 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (node:child_process:422:12)
    at ChildProcess.emit (node:events:517:28)
    at maybeClose (node:internal/child_process:1098:16)
    at ChildProcess._handle.onexit (node:internal/child_process:303:5)
[26/Nov/2024:16:50:55 +0100] 200 - GET http 84.234.154.203 "/?XDEBUG_SESSION_START=phpstorm" [Client 92.255.57.58] [Length 625] [Gzip 1.88] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-"
[11/26/2024] [4:51:52 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #1: minside.no
[11/26/2024] [4:51:52 PM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[11/26/2024] [4:51:55 PM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Failed to renew certificate npm-1 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.```

<!-- gh-comment-id:2501230721 --> @hulkhaugen commented on GitHub (Nov 26, 2024): > For those asking how to remove the Force SSL off, it also took me a while to find it. > > Under Add-Ons --> Nginx Proxy Manager there is a link to the right 'Open Web UI' which you need to click. > > Then click on Hosts-->Proxy Hosts ... then the 3 dots and Edit ... then SSL Tab > > Then go back to the Dashboard, SSL Certificates, the 3 dots and then Renew Now. > > Thanks to all the previous posts here - I iust did this indeed and it worked. :-) You're obviously using the HA add-on, same as me. Did it work for you? I just stumbled into this issue myself after not having it before. I currently have 12 proxy hosts and 1 redirection host. I disabled all but the main one, and disabled force SSL for that one. Still no joy. EDIT: I only use one certificate for all the proxy hosts, and always have. **FINAL EDIT: Yay, i finally figured it out after spending a whole day on this, just about to give up. I had to log into Cloudflare as I use that for DNS Records. Had to change the Proxy status for my A-record from `Proxied` to `DNS only`, manually renew, then change it back to `Proxied`.** ```[16:42:49] INFO: Starting the Manager... [16:42:49] INFO: Starting NGinx... s6-rc: info: service legacy-services successfully started [11/26/2024] [4:42:49 PM] [Global ] › ℹ info Using Sqlite: /config/database.sqlite [11/26/2024] [4:42:51 PM] [Migrate ] › ℹ info Current database version: none [11/26/2024] [4:42:51 PM] [Setup ] › ℹ info Logrotate Timer initialized [11/26/2024] [4:42:51 PM] [Setup ] › ℹ info Logrotate completed. [11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... [11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json [11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 [11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 [11/26/2024] [4:42:51 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized [11/26/2024] [4:42:51 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [11/26/2024] [4:42:51 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized [11/26/2024] [4:42:51 PM] [Global ] › ℹ info Backend PID 157 listening on port 3000 ... [11/26/2024] [4:48:01 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:422:12) at ChildProcess.emit (node:events:517:28) at maybeClose (node:internal/child_process:1098:16) at ChildProcess._handle.onexit (node:internal/child_process:303:5) [26/Nov/2024:16:50:55 +0100] 200 - GET http 84.234.154.203 "/?XDEBUG_SESSION_START=phpstorm" [Client 92.255.57.58] [Length 625] [Gzip 1.88] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-" [11/26/2024] [4:51:52 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #1: minside.no [11/26/2024] [4:51:52 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation [11/26/2024] [4:51:55 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Failed to renew certificate npm-1 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.```

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jun 12, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2964795895 --> @github-actions[bot] commented on GitHub (Jun 12, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Jun 12, 2025):

Not stale, still awaiting #3121 to be merged in.

<!-- gh-comment-id:2965387690 --> @EDIflyer commented on GitHub (Jun 12, 2025): Not stale, still awaiting #3121 to be merged in.

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jan 25, 2026):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3795841701 --> @github-actions[bot] commented on GitHub (Jan 25, 2026): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:32:52 +03:00

Author

Owner

Copy link

@EDIflyer commented on GitHub (Jan 25, 2026):

Not stale, still awaiting #3121 to be merged in.

<!-- gh-comment-id:3796395220 --> @EDIflyer commented on GitHub (Jan 25, 2026): Not stale, still awaiting #3121 to be merged in.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1872

No description provided.