[GH-ISSUE #2781] How to mount existing letsencrypt directory? #1912

Open
opened 2026-02-26 07:33:13 +03:00 by kerem · 8 comments
Owner

Originally created by @drudgede on GitHub (Mar 30, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2781

For my required setup, I currently have all my letsencrypt certificates stored on an NFS drive and mount them to /etc/letsencrypt on each required host. So I tried to do the same with the Nginx Proxy Manager and mounted the existing path with /etc/letsencrypt:/etc/letsencrypt instead of ./letsencrypt:/etc/letsencrypt as given in the default configuration:

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:2.9.22'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP
    environment:
      # Unix user and group IDs, optional
      PUID: 1000
      PGID: 1000
      # Mysql/Maria connection parameters:
      DB_MYSQL_HOST: "db"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: "npm"
      DB_MYSQL_PASSWORD: "npm"
      DB_MYSQL_NAME: "npm"
      # Uncomment this if IPv6 is not enabled on your host
      DISABLE_IPV6: 'true'
    volumes:
      - ./data:/data
      - /etc/letsencrypt:/etc/letsencrypt
    depends_on:
      - db

  db:
    image: 'jc21/mariadb-aria:latest'
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: 'npm'
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm'
      MYSQL_PASSWORD: 'npm'
    volumes:
      - ./data/mysql:/var/lib/mysql

This seems to work fine. I can see the directory on my local host:

root@npm:/# ls /etc/letsencrypt
accounts  archive  cli.ini  csr  keys  live  options-ssl-apache.conf  renewal  renewal-hooks

And I can see in the docker container that the container can access them as well:

root@npm:/# docker exec -it a /bin/bash

[root@docker-a88aa14b1b11:/app]# ls /etc/letsencrypt
accounts
archive
cli.ini
csr
keys
live
options-ssl-apache.conf
renewal
renewal-hooks

However, I am not able to access those certificates which are already existing when I use the web GUI.
The Nginx Proxy Manager seems to have no information about those certificates and I can only create new ones.

How can I make the certificates known to NPM? Did I mount an incorrect path structure?

Originally created by @drudgede on GitHub (Mar 30, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2781 For my required setup, I currently have all my letsencrypt certificates stored on an NFS drive and mount them to `/etc/letsencrypt` on each required host. So I tried to do the same with the Nginx Proxy Manager and mounted the existing path with `/etc/letsencrypt:/etc/letsencrypt` instead of `./letsencrypt:/etc/letsencrypt` as given in the default configuration: ``` version: '3.8' services: app: image: 'jc21/nginx-proxy-manager:2.9.22' restart: unless-stopped ports: # These ports are in format <host-port>:<container-port> - '80:80' # Public HTTP Port - '443:443' # Public HTTPS Port - '81:81' # Admin Web Port # Add any other Stream port you want to expose # - '21:21' # FTP environment: # Unix user and group IDs, optional PUID: 1000 PGID: 1000 # Mysql/Maria connection parameters: DB_MYSQL_HOST: "db" DB_MYSQL_PORT: 3306 DB_MYSQL_USER: "npm" DB_MYSQL_PASSWORD: "npm" DB_MYSQL_NAME: "npm" # Uncomment this if IPv6 is not enabled on your host DISABLE_IPV6: 'true' volumes: - ./data:/data - /etc/letsencrypt:/etc/letsencrypt depends_on: - db db: image: 'jc21/mariadb-aria:latest' restart: unless-stopped environment: MYSQL_ROOT_PASSWORD: 'npm' MYSQL_DATABASE: 'npm' MYSQL_USER: 'npm' MYSQL_PASSWORD: 'npm' volumes: - ./data/mysql:/var/lib/mysql ``` This seems to work fine. I can see the directory on my local host: ``` root@npm:/# ls /etc/letsencrypt accounts archive cli.ini csr keys live options-ssl-apache.conf renewal renewal-hooks ``` And I can see in the docker container that the container can access them as well: ``` root@npm:/# docker exec -it a /bin/bash [root@docker-a88aa14b1b11:/app]# ls /etc/letsencrypt accounts archive cli.ini csr keys live options-ssl-apache.conf renewal renewal-hooks ``` However, I am not able to access those certificates which are already existing when I use the web GUI. The Nginx Proxy Manager seems to have no information about those certificates and I can only create new ones. How can I make the certificates known to NPM? Did I mount an incorrect path structure?
Author
Owner

@mricharz commented on GitHub (Apr 17, 2023):

https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2347

<!-- gh-comment-id:1511513986 --> @mricharz commented on GitHub (Apr 17, 2023): https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2347
Author
Owner

@github-actions[bot] commented on GitHub (Jan 24, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:1907216808 --> @github-actions[bot] commented on GitHub (Jan 24, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
Author
Owner

@sagefarrenholz commented on GitHub (Nov 25, 2024):

Bump !

<!-- gh-comment-id:2496593989 --> @sagefarrenholz commented on GitHub (Nov 25, 2024): Bump !
Author
Owner

@shalafi99 commented on GitHub (Nov 25, 2024):

I think NPM does not "scan" the contents of the /letsencrypt directory ever, instead it controls status/presence of certificates through the related actions done inside the admin interface (which are reflected by updates to its own database).

I am inferring that based on a different experience I have had - in my case, I have a letsencrypt certificate which is managed outside of NPM.
I imported it using the "Add Certificate / Custom" WebUI option and I know NPM does not check the actual files because I have a script to copy over to NPM the updated certificate when it gets renewed and the expiration date shown in the WebUI still is the original import one (which I read somewhere here in Github that happens because it is information being read off its database instead of from the actual cert file present inside the filesystem).
It is a single certificate so for me, at least, not really a significant management overhead/bother.

That said, I would risk saying that the /letsencrypt folder mounted in NPM would be used solely for certificates which are/were requested using its own mechanism (instead of "external" ones). #2347 looks to be a request to change this behavior.

<!-- gh-comment-id:2498256039 --> @shalafi99 commented on GitHub (Nov 25, 2024): I think NPM does not "scan" the contents of the /letsencrypt directory ever, instead it controls status/presence of certificates through the related actions done inside the admin interface (which are reflected by updates to its own database). I am inferring that based on a different experience I have had - in my case, I have a letsencrypt certificate which is managed outside of NPM. I imported it using the "Add Certificate / Custom" WebUI option and I know NPM does not check the actual files because I have a script to copy over to NPM the updated certificate when it gets renewed and the expiration date shown in the WebUI still is the original import one (which I read somewhere here in Github that happens because it is information being read off its database instead of from the actual cert file present inside the filesystem). It is a single certificate so for me, at least, not really a significant management overhead/bother. That said, I would risk saying that the /letsencrypt folder mounted in NPM would be used solely for certificates which are/were requested using its own mechanism (instead of "external" ones). #2347 looks to be a request to change this behavior.
Author
Owner

@sagefarrenholz commented on GitHub (Nov 26, 2024):

Bare minimum if we can import a local disk file (from the box not my browser) in the gui

Then I can sym link it or something

<!-- gh-comment-id:2499710814 --> @sagefarrenholz commented on GitHub (Nov 26, 2024): Bare minimum if we can import a local disk file (from the box not my browser) in the gui Then I can sym link it or something
Author
Owner

@github-actions[bot] commented on GitHub (Aug 12, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3177468249 --> @github-actions[bot] commented on GitHub (Aug 12, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:
Author
Owner

@alonsovb commented on GitHub (Aug 13, 2025):

Bumping since I'm also interested in this functionality

<!-- gh-comment-id:3181893430 --> @alonsovb commented on GitHub (Aug 13, 2025): Bumping since I'm also interested in this functionality
Author
Owner

@sazeygit commented on GitHub (Dec 14, 2025):

bumping, also interested

<!-- gh-comment-id:3650110913 --> @sazeygit commented on GitHub (Dec 14, 2025): bumping, also interested
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#1912
No description provided.