starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #2881] Temp workaround (that works for me!) for SSL certificate renewal bug #1972

New issue
Open
opened 2026-02-26 07:33:29 +03:00 by kerem · 68 comments
kerem commented 2026-02-26 07:33:29 +03:00
Owner
Copy link

Originally created by @EDIflyer on GitHub (May 3, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2881

I know there are already lots of issues on this topic - I've tried to link to most of them below. I've just had to renew 16 sites on one server (running the latest v.2.10.2) and thought I'd go through the process that seemed to work reliably for me in case it helps others (with thanks to posters in other issues where I've gleaned this info from!).

Given how it works I suspect the issue is the the requests to the ACME endpoint not being allowed through when force SSL is enabled (as mentioned in some bug reports) and I'm hopeful @jc21 can merge in #2038 that seems to be an option (but is unfortunately now based off an older base).

Symptom
image
SSL certificates do not automatically renew and you receive a warning email from LetsEncrypt about an upcoming expiring certificate (typically I seem to get them when <20 days left to go). Attempts to manually review end up just showing an 'Internal server error'

Workaround
Part 1 - clear any certbot.lock files
I've found there is sometime an error caused by a a duplicate instance of CertBot running. You can check whether there are .certbot.lock files in your system:

find / -type f -name ".certbot.lock"

If there are, you can remove them:

find / -type f -name ".certbot.lock" -exec rm {} \;

(from https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690/2)

Part 2 - turn off Force SSL and then renew
image
After clearing any certbot lock, I then went through site by site and 1) disabled Force SSL on the proxy host page then 2) requested certificate renewal on the SSL page and then 3) re-enabled SSL and all sub-options back on the proxy host page.

As I say it takes a while and is frustrating but I found it worked reliably and they're all now renewed for the next 3 months. If you don't switch off Force SSL then you just end up with an internal error.

Related issues on this topic (in the hope that once this issue is resolved these can all be closed)
#1771 #1816 #1856 #2048 #2251 #2258 #2267 #210 #2418 #2499 #2593 #2642 #2713 #2860

Originally created by @EDIflyer on GitHub (May 3, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2881 I know there are already lots of issues on this topic - I've tried to link to most of them below. I've just had to renew 16 sites on one server (running the latest v.2.10.2) and thought I'd go through the process that seemed to work reliably for me in case it helps others (with thanks to posters in other issues where I've gleaned this info from!). Given how it works I suspect the issue is the the requests to the ACME endpoint not being allowed through when force SSL is enabled (as mentioned in some bug reports) and I'm hopeful @jc21 can merge in #2038 that seems to be an option (but is unfortunately now based off an older base). **Symptom** ![image](https://user-images.githubusercontent.com/13610277/235953845-a73977dc-df6e-464f-85d2-f54ad56877c2.png) SSL certificates do not automatically renew and you receive a warning email from LetsEncrypt about an upcoming expiring certificate (typically I seem to get them when <20 days left to go). Attempts to manually review end up just showing an 'Internal server error' **Workaround** _Part 1 - clear any `certbot.lock` files_ I've found there is sometime an error caused by a a duplicate instance of CertBot running. You can check whether there are .certbot.lock files in your system: ``` bash find / -type f -name ".certbot.lock" ``` If there are, you can remove them: ``` bash find / -type f -name ".certbot.lock" -exec rm {} \; ``` (from https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690/2) _Part 2 - turn off `Force SSL` and then renew_ ![image](https://user-images.githubusercontent.com/13610277/235950711-c759de87-a2a6-4582-b877-8a8e7f68930c.png) After clearing any certbot lock, I then went through site by site and 1) disabled `Force SSL` on the proxy host page then 2) requested certificate renewal on the SSL page and then 3) re-enabled SSL and all sub-options back on the proxy host page. As I say it takes a while and is frustrating but I found it worked reliably and they're all now renewed for the next 3 months. If you don't switch off `Force SSL` then you just end up with an internal error. Related issues on this topic (in the hope that once this issue is resolved these can all be closed) #1771 #1816 #1856 #2048 #2251 #2258 #2267 #210 #2418 #2499 #2593 #2642 #2713 #2860
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@ririko5834 commented on GitHub (May 3, 2023):

It really works thanks. Certs were before normally renewed, found out that it stopped working when I updated to the latest version. When it will be fixed?

<!-- gh-comment-id:1533276902 --> @ririko5834 commented on GitHub (May 3, 2023): It really works thanks. Certs were before normally renewed, found out that it stopped working when I updated to the latest version. When it will be fixed?
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (May 3, 2023):

Agree, @ririko5834 - it used to work fine for me but seemed to stop a few version ago. Hopefully the PR can be merged in to the latest codebase....

<!-- gh-comment-id:1533302217 --> @EDIflyer commented on GitHub (May 3, 2023): Agree, @ririko5834 - it used to work fine for me but seemed to stop a few version ago. Hopefully the PR can be merged in to the latest codebase....
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@pd5rm commented on GitHub (May 3, 2023):

Just did this, thanks for the workaround writeup.

<!-- gh-comment-id:1533377647 --> @pd5rm commented on GitHub (May 3, 2023): Just did this, thanks for the workaround writeup.
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@jhalak1984 commented on GitHub (May 31, 2023):

Hmm, for me, no such files were found, hence, didn't work for me

<!-- gh-comment-id:1570526564 --> @jhalak1984 commented on GitHub (May 31, 2023): Hmm, for me, no such files were found, hence, didn't work for me
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Jun 3, 2023):

@jc21 any word on when a fix might be coming for this SSL cert renewal issue? That's me having to manually renew another 10 sites this evening 😔

<!-- gh-comment-id:1575237932 --> @EDIflyer commented on GitHub (Jun 3, 2023): @jc21 any word on when a fix might be coming for this SSL cert renewal issue? That's me having to manually renew another 10 sites this evening 😔
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@JohnnyLAmpAz commented on GitHub (Aug 13, 2023):

Hmm, for me, no such files were found, hence, didn't work for me

Neither I found any lock file but the trick disabling force SSL its the important part! Try anyway

<!-- gh-comment-id:1676316257 --> @JohnnyLAmpAz commented on GitHub (Aug 13, 2023): > Hmm, for me, no such files were found, hence, didn't work for me Neither I found any lock file but the trick disabling _force SSL_ its the important part! Try anyway
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Aug 13, 2023):

Hmm, for me, no such files were found, hence, didn't work for me

@jhalak1984 did you try part 2? The main bit seems to be force SSL not allowing an ACME exclusion, the first bit is just to ensure no conflicting certbot instances running.

<!-- gh-comment-id:1676317413 --> @EDIflyer commented on GitHub (Aug 13, 2023): > Hmm, for me, no such files were found, hence, didn't work for me @jhalak1984 did you try part 2? The main bit seems to be force SSL not allowing an ACME exclusion, the first bit is just to ensure no conflicting certbot instances running.
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Aug 13, 2023):

Thanks to the work from @the1ts in #2038 and the comments from @Whoopsadaisy re regex on that PR https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2038#issuecomment-1372833078 I've created a new PR #3121 that combines their comments to stop /.well-known/acme-challenge requests from being redirected to https.

The new PR has been build (you can access it in a docker compose file by commenting out your current image and using image: 'jc21/nginx-proxy-manager:github-pr-3121' instead). The only change I made was to the one force-ssl-.conf file, but it is based off the current develop branch (2.10.4 as of today) so will include any other changes on there.

I've tried it on two servers that I run - on the first I was now enable to renew OK just by clicking 'renew now' on the SSL page (something that previously errored out). On the other one I initially still got the internal error but when I ran the first bit of the code in my OP above I found 3 certbot instances running so once I cleared them it seemed to renew OK. Out of interest I've only renewed one certificate on that server to see if the rest renew OK automatically. In both cases everything still seems to redirect to https OK and the regex seems to check out OK - (https://regex101.com/r/H58N25/1)

If you're happy to do so then please test it out - it is showing as OK to merge so if this merges hopefully it'll be accepted by @jc21 😃

PS - I checked back 10-15 min later and it seems that all the other certs have autorenewed too so that saved me quite a bit of work switching force SSL off/on for each one!

image

<!-- gh-comment-id:1676402836 --> @EDIflyer commented on GitHub (Aug 13, 2023): Thanks to the work from @the1ts in #2038 and the comments from @Whoopsadaisy re regex on that PR https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2038#issuecomment-1372833078 I've created a new PR #3121 that combines their comments to stop /.well-known/acme-challenge requests from being redirected to https. The new PR has been build (you can access it in a docker compose file by commenting out your current image and using `image: 'jc21/nginx-proxy-manager:github-pr-3121'` instead). The only change I made was to the one `force-ssl-.conf` file, but it is based off the current develop branch (2.10.4 as of today) so will include any other changes on there. I've tried it on two servers that I run - on the first I was now enable to renew OK just by clicking 'renew now' on the SSL page (something that previously errored out). On the other one I initially still got the internal error but when I ran the first bit of the code in my OP above I found 3 certbot instances running so once I cleared them it seemed to renew OK. Out of interest I've only renewed one certificate on that server to see if the rest renew OK automatically. In both cases everything still seems to redirect to https OK and the regex seems to check out OK - (https://regex101.com/r/H58N25/1) If you're happy to do so then please test it out - it is showing as OK to merge so if this merges hopefully it'll be accepted by @jc21 😃 PS - I checked back 10-15 min later and it seems that all the other certs have autorenewed too so that saved me quite a bit of work switching force SSL off/on for each one! ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/13610277/f880550f-0c47-45d5-aca6-3a77983a60e7)
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@jhalak1984 commented on GitHub (Aug 15, 2023):

Awesome!! Works without a hitch now. Thank you!!!

<!-- gh-comment-id:1678666348 --> @jhalak1984 commented on GitHub (Aug 15, 2023): Awesome!! Works without a hitch now. Thank you!!!
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@Panoramiac commented on GitHub (Oct 10, 2023):

Thanks to the work from @the1ts in #2038 and the comments from @Whoopsadaisy re regex on that PR #2038 (comment) I've created a new PR #3121 that combines their comments to stop /.well-known/acme-challenge requests from being redirected to https.

The new PR has been build (you can access it in a docker compose file by commenting out your current image and using image: 'jc21/nginx-proxy-manager:github-pr-3121' instead). The only change I made was to the one force-ssl-.conf file, but it is based off the current develop branch (2.10.4 as of today) so will include any other changes on there.

I've tried it on two servers that I run - on the first I was now enable to renew OK just by clicking 'renew now' on the SSL page (something that previously errored out). On the other one I initially still got the internal error but when I ran the first bit of the code in my OP above I found 3 certbot instances running so once I cleared them it seemed to renew OK. Out of interest I've only renewed one certificate on that server to see if the rest renew OK automatically. In both cases everything still seems to redirect to https OK and the regex seems to check out OK - (https://regex101.com/r/H58N25/1)

If you're happy to do so then please test it out - it is showing as OK to merge so if this merges hopefully it'll be accepted by @jc21 😃

PS - I checked back 10-15 min later and it seems that all the other certs have autorenewed too so that saved me quite a bit of work switching force SSL off/on for each one!

image

So what do I need to do to get this working with Nginx Proxy Manager Addon running on HomeAssisant? I got yesterday the mails that my certs will expire soon. I do not know what went wrong, but I can not renew them and currently, the certs are also not accepted anymore by the Android App (I guess I messed something up by adding my subdomains to the DuckDns Addon).

<!-- gh-comment-id:1756076099 --> @Panoramiac commented on GitHub (Oct 10, 2023): > Thanks to the work from @the1ts in #2038 and the comments from @Whoopsadaisy re regex on that PR [#2038 (comment)](https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2038#issuecomment-1372833078) I've created a new PR #3121 that combines their comments to stop /.well-known/acme-challenge requests from being redirected to https. > > The new PR has been build (you can access it in a docker compose file by commenting out your current image and using `image: 'jc21/nginx-proxy-manager:github-pr-3121'` instead). The only change I made was to the one `force-ssl-.conf` file, but it is based off the current develop branch (2.10.4 as of today) so will include any other changes on there. > > I've tried it on two servers that I run - on the first I was now enable to renew OK just by clicking 'renew now' on the SSL page (something that previously errored out). On the other one I initially still got the internal error but when I ran the first bit of the code in my OP above I found 3 certbot instances running so once I cleared them it seemed to renew OK. Out of interest I've only renewed one certificate on that server to see if the rest renew OK automatically. In both cases everything still seems to redirect to https OK and the regex seems to check out OK - (https://regex101.com/r/H58N25/1) > > If you're happy to do so then please test it out - it is showing as OK to merge so if this merges hopefully it'll be accepted by @jc21 😃 > > PS - I checked back 10-15 min later and it seems that all the other certs have autorenewed too so that saved me quite a bit of work switching force SSL off/on for each one! > > ![image](https://user-images.githubusercontent.com/13610277/260315721-f880550f-0c47-45d5-aca6-3a77983a60e7.png) So what do I need to do to get this working with Nginx Proxy Manager Addon running on HomeAssisant? I got yesterday the mails that my certs will expire soon. I do not know what went wrong, but I can not renew them and currently, the certs are also not accepted anymore by the Android App (I guess I messed something up by adding my subdomains to the DuckDns Addon).
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Oct 10, 2023):

@Panoramiac sorry I'm running it on VPS with Docker/Portainer so can easily specify a different image to use - I'm not 100% sure re Home Assistant how to do that (I do run HA but only on my NAS on my home network) - might be worth asking in the HA forums if someone knows how to specify a different image to use?

<!-- gh-comment-id:1756317811 --> @EDIflyer commented on GitHub (Oct 10, 2023): @Panoramiac sorry I'm running it on VPS with Docker/Portainer so can easily specify a different image to use - I'm not 100% sure re Home Assistant how to do that (I do run HA but only on my NAS on my home network) - might be worth asking in the HA forums if someone knows how to specify a different image to use?
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@mtojay commented on GitHub (Oct 18, 2023):

hmm for me it does not work. received a mail about expiring certs. went and try to renew. didnt work. looked up on the internet and found this workaround. but for me it does not work. there are not certbot.lock files in my docker container. and disabling ssh also does not do anything. tried rebooting the container, the vps and all steps here. its still always: "internal error". not quite sure where to go from here.

<!-- gh-comment-id:1767984231 --> @mtojay commented on GitHub (Oct 18, 2023): hmm for me it does not work. received a mail about expiring certs. went and try to renew. didnt work. looked up on the internet and found this workaround. but for me it does not work. there are not certbot.lock files in my docker container. and disabling ssh also does not do anything. tried rebooting the container, the vps and all steps here. its still always: "internal error". not quite sure where to go from here.
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Oct 18, 2023):

@mtojay did you try the different version in the PR I submitted? I've been running it since I created it and all auto-renewals going through fine for me.

<!-- gh-comment-id:1768198197 --> @EDIflyer commented on GitHub (Oct 18, 2023): @mtojay did you try the different version in the PR I submitted? I've been running it since I created it and all auto-renewals going through fine for me.
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@mtojay commented on GitHub (Oct 18, 2023):

thx for your answer @EDIflyer, but yeah i tried taht. i pulled the docker image with your PR, but i still get "Internal Error". After recreating the container with the new image i tried looking for locked Certbots again, but i dont have any locked certbot instances. I dont know what or if am doing wrong, but i cant get new ceritificates no matter how often i try what had been suggested here in this thread.

I probably have an unrelated issue. If my certs expire in t he coming days i will retry again.

<!-- gh-comment-id:1768477131 --> @mtojay commented on GitHub (Oct 18, 2023): thx for your answer @EDIflyer, but yeah i tried taht. i pulled the docker image with your PR, but i still get "Internal Error". After recreating the container with the new image i tried looking for locked Certbots again, but i dont have any locked certbot instances. I dont know what or if am doing wrong, but i cant get new ceritificates no matter how often i try what had been suggested here in this thread. I probably have an unrelated issue. If my certs expire in t he coming days i will retry again.
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Oct 18, 2023):

Ah OK, sorry to hear that @mtojay. At least you've ruled out locked Certbots. Is there anything more in the NPM logs that you can see when you try to renew and get the error? The issue at https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1816 goes through some of what others found. Sorry I can't help more!

<!-- gh-comment-id:1768522681 --> @EDIflyer commented on GitHub (Oct 18, 2023): Ah OK, sorry to hear that @mtojay. At least you've ruled out locked Certbots. Is there anything more in the NPM logs that you can see when you try to renew and get the error? The issue at https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1816 goes through some of what others found. Sorry I can't help more!
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@fhazal commented on GitHub (Oct 30, 2023):

this workaround is not working for me too, i change the image to image: 'jc21/nginx-proxy-manager:github-pr-3121' still can't get it work, i follow the instruction and delete and reinstall NPM still can't create SSL cert or renew the cert, please help.

<!-- gh-comment-id:1785757279 --> @fhazal commented on GitHub (Oct 30, 2023): this workaround is not working for me too, i change the image to `image: 'jc21/nginx-proxy-manager:github-pr-3121'` still can't get it work, i follow the instruction and delete and reinstall NPM still can't create SSL cert or renew the cert, please help.
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Oct 30, 2023):

Hmm weird, I'm still using that one and it works OK. Does it pull the image down OK?

<!-- gh-comment-id:1785843134 --> @EDIflyer commented on GitHub (Oct 30, 2023): Hmm weird, I'm still using that one and it works OK. Does it pull the image down OK?
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@fhazal commented on GitHub (Oct 31, 2023):

Hmm weird, I'm still using that one and it works OK. Does it pull the image down OK?

yup it did pull the image without any error.

<!-- gh-comment-id:1788169296 --> @fhazal commented on GitHub (Oct 31, 2023): > Hmm weird, I'm still using that one and it works OK. Does it pull the image down OK? yup it did pull the image without any error.
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Oct 31, 2023):

OK - I presume port 80 is open on your firewall to allow the certbot requests to get through to the acme endpoint? I'm afraid I don't have many other ideas!

<!-- gh-comment-id:1788175593 --> @EDIflyer commented on GitHub (Oct 31, 2023): OK - I presume port 80 is open on your firewall to allow the certbot requests to get through to the acme endpoint? I'm afraid I don't have many other ideas!
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@broetchenrackete36 commented on GitHub (Nov 6, 2023):

PR #3121 worked great for me. Finally my certs are renewed automagically again, thx :)

<!-- gh-comment-id:1794273748 --> @broetchenrackete36 commented on GitHub (Nov 6, 2023): PR #3121 worked great for me. Finally my certs are renewed automagically again, thx :)
kerem commented 2026-02-26 07:33:30 +03:00
Author
Owner
Copy link

@peterge1998 commented on GitHub (Nov 10, 2023):

I guess I experience the same problem, the certs aren't renewing in my instance too. docker logs gives this:

[11/10/2023] [7:55:11 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation  
Another instance of Certbot is already running.

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

I guess a fix will be released in near future?

<!-- gh-comment-id:1805260015 --> @peterge1998 commented on GitHub (Nov 10, 2023): I guess I experience the same problem, the certs aren't renewing in my instance too. `docker logs` gives this: ``` [11/10/2023] [7:55:11 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Another instance of Certbot is already running. at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) ``` I guess a fix will be released in near future?
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Nov 10, 2023):

@peterge1998 it's been like this for months so sadly I'm not sure a fix is imminent. Did you try the code posted above re duplicate certbot instances or running the PR version I created? Worth a shot but no guarantees it'll help I'm afraid!

<!-- gh-comment-id:1805641075 --> @EDIflyer commented on GitHub (Nov 10, 2023): @peterge1998 it's been like this for months so sadly I'm not sure a fix is imminent. Did you try the code posted above re duplicate certbot instances or running the PR version I created? Worth a shot but no guarantees it'll help I'm afraid!
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@peterge1998 commented on GitHub (Nov 10, 2023):

@peterge1998 it's been like this for months so sadly I'm not sure a fix is imminent. Did you try the code posted above re duplicate certbot instances or running the PR version I created? Worth a shot but no guarantees it'll help I'm afraid!

How can I run the PR version with docker?

<!-- gh-comment-id:1805872052 --> @peterge1998 commented on GitHub (Nov 10, 2023): > @peterge1998 it's been like this for months so sadly I'm not sure a fix is imminent. Did you try the code posted above re duplicate certbot instances or running the PR version I created? Worth a shot but no guarantees it'll help I'm afraid! How can I run the PR version with docker?
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Nov 10, 2023):

How can I run the PR version with docker?
If you replace the normal image with image: 'jc21/nginx-proxy-manager:github-pr-3121' in your docker compose (or tweak appropriately for docker run) command then that should do the trick.

<!-- gh-comment-id:1805914229 --> @EDIflyer commented on GitHub (Nov 10, 2023): > How can I run the PR version with docker? If you replace the normal image with `image: 'jc21/nginx-proxy-manager:github-pr-3121'` in your docker compose (or tweak appropriately for docker run) command then that should do the trick.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@peterge1998 commented on GitHub (Nov 10, 2023):

How can I run the PR version with docker?
If you replace the normal image with image: 'jc21/nginx-proxy-manager:github-pr-3121' in your docker compose (or tweak appropriately for docker run) command then that should do the trick.

I get this error with the image of your pr now when renewing certs:

[11/10/2023] [7:21:42 PM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-14" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[11/10/2023] [7:21:42 PM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-14" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-9kceqaqh/log or re-run Certbot with -v for more details.

Okay, its still the same:

[11/10/2023] [7:23:16 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-8 with error: Some challenges have failed.
The following renewals failed:
  /etc/letsencrypt/live/npm-8/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
<!-- gh-comment-id:1806316633 --> @peterge1998 commented on GitHub (Nov 10, 2023): > > How can I run the PR version with docker? > > If you replace the normal image with `image: 'jc21/nginx-proxy-manager:github-pr-3121'` in your docker compose (or tweak appropriately for docker run) command then that should do the trick. I get this error with the image of your pr now when renewing certs: ``` [11/10/2023] [7:21:42 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-14" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation [11/10/2023] [7:21:42 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-14" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation Another instance of Certbot is already running. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-9kceqaqh/log or re-run Certbot with -v for more details. ``` Okay, its still the same: ``` [11/10/2023] [7:23:16 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-8 with error: Some challenges have failed. The following renewals failed: /etc/letsencrypt/live/npm-8/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) ```
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@peterge1998 commented on GitHub (Nov 10, 2023):

Deleting the host and adding it again works...

<!-- gh-comment-id:1806320809 --> @peterge1998 commented on GitHub (Nov 10, 2023): Deleting the host and adding it again works...
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Nov 10, 2023):

Damn, sorry to hear that. The weird thing is it's still working OK on mine with that PR version. I assume port 80 is open to allow challenge requests through? Did you run the command in the container to clear the other certbot instances too? I'm afraid I'm out of ideas after that!

EDIT: just seen your followup post, that sounds slightly more encouraging and at least confirms the challenge requests can get through OK!

<!-- gh-comment-id:1806322234 --> @EDIflyer commented on GitHub (Nov 10, 2023): Damn, sorry to hear that. The weird thing is it's still working OK on mine with that PR version. I assume port 80 is open to allow challenge requests through? Did you run the command in the container to clear the other certbot instances too? I'm afraid I'm out of ideas after that! EDIT: just seen your followup post, that sounds slightly more encouraging and at least confirms the challenge requests can get through OK!
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@peterge1998 commented on GitHub (Dec 4, 2023):

Deleting the host and adding it again works...

I am facing this problem again. This time I would like to add a ssl certificate using the dns provider. I am not able to follow my own suggestion how to fix this because there is no host this time :0

Please fix this asap!

<!-- gh-comment-id:1838895271 --> @peterge1998 commented on GitHub (Dec 4, 2023): > Deleting the host and adding it again works... I am facing this problem again. This time I would like to add a ssl certificate using the dns provider. I am not able to follow my own suggestion how to fix this because there is no host this time :0 Please fix this asap!
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@sunsreddit commented on GitHub (Jan 13, 2024):

+1'ing.

Made the manual change this PR makes in my own setup and can confirm it fixes my issue.

Thank you, @EDIflyer

<!-- gh-comment-id:1890589862 --> @sunsreddit commented on GitHub (Jan 13, 2024): +1'ing. Made the manual change this PR makes in my own setup and can confirm it fixes my issue. Thank you, @EDIflyer
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EcksDy commented on GitHub (May 24, 2024):

For me it was a combination of the following that caused the error:

  • I've used DNS challenge with Namecheap API
  • Namecheap demands whitelisting IPs for anything that wants to access its APIs
  • My IP is dynamic

Once I've whitelisted my current IP, the renewal worked even with all of my hosts having "Force SSL" enabled.

<!-- gh-comment-id:2130444149 --> @EcksDy commented on GitHub (May 24, 2024): For me it was a combination of the following that caused the error: - I've used DNS challenge with Namecheap API - Namecheap demands whitelisting IPs for anything that wants to access its APIs - My IP is dynamic Once I've whitelisted my current IP, the renewal worked even with all of my hosts having "Force SSL" enabled.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@picode7 commented on GitHub (Sep 1, 2024):

Turning off "Force SSL" didn't work at first.

I found out that I had reached the validation limit

All issuance requests are subject to a Failed Validation limit of 5 failures per account, per hostname, per hour (using a sliding window).
After waiting for an hour, it worked.

Btw. I couldn't find/delete any ".certbot.lock" files in the container.

<!-- gh-comment-id:2323274515 --> @picode7 commented on GitHub (Sep 1, 2024): Turning off "Force SSL" didn't work at first. I found out that I had reached the [validation limit](https://letsencrypt.org/docs/failed-validation-limit/) > All issuance requests are subject to a Failed Validation limit of 5 failures per account, per hostname, per hour (using a sliding window). After waiting for an hour, it worked. Btw. I couldn't find/delete any ".certbot.lock" files in the container.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@HAEdwin commented on GitHub (Oct 23, 2024):

What worked for me was to temporary add a forward rule on the router to enable port 80 traffic to the website. Because apparently there were problems with the accessibility of the website from Let's Encrypt. After the refresh I turned off the forward rule to port 80 again.

<!-- gh-comment-id:2430992554 --> @HAEdwin commented on GitHub (Oct 23, 2024): What worked for me was to temporary add a forward rule on the router to enable port 80 traffic to the website. Because apparently there were problems with the accessibility of the website from Let's Encrypt. After the refresh I turned off the forward rule to port 80 again.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Dec 8, 2024):

Turning "Force SSL" off worked.. unfortunately this issue after almost 2 years (probably more) is still present. Turning "Force SSL" off/on every 3 months is not very convenient, especially if you have 20-30 domains or more.

<!-- gh-comment-id:2525427720 --> @apoorv569 commented on GitHub (Dec 8, 2024): Turning "Force SSL" off worked.. unfortunately this issue after almost 2 years (probably more) is still present. Turning "Force SSL" off/on every 3 months is not very convenient, especially if you have 20-30 domains or more.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Dec 8, 2024):

@apoorv569 have you tried the version in my PR #3121 ? If turning off SSL worked for you that should hopefully fix it for renewals.

<!-- gh-comment-id:2525579088 --> @EDIflyer commented on GitHub (Dec 8, 2024): @apoorv569 have you tried the version in my PR #3121 ? If turning off SSL worked for you that should hopefully fix it for renewals.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Dec 31, 2024):

@apoorv569 have you tried the version in my PR #3121 ? If turning off SSL worked for you that should hopefully fix it for renewals.

Sorry for the late response.

Fix as in I have to apply a PR to my install?

<!-- gh-comment-id:2566220415 --> @apoorv569 commented on GitHub (Dec 31, 2024): > @apoorv569 have you tried the version in my PR #3121 ? If turning off SSL worked for you that should hopefully fix it for renewals. Sorry for the late response. Fix as in I have to apply a PR to my install?
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Dec 31, 2024):

@apoorv569 as in running the Docker container generated by the PR instead of latest

<!-- gh-comment-id:2566223975 --> @EDIflyer commented on GitHub (Dec 31, 2024): @apoorv569 as in running the Docker container generated by the PR instead of `latest`
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Jan 4, 2025):

@apoorv569 as in running the Docker container generated by the PR instead of latest

Like I have to build the docker container my self using commits from the PR?

Why is your PR not merged yet? almost 1.5 years now.. what's stopping the dev from merging it?

BTW can you in short tell me why this happens?

<!-- gh-comment-id:2569957540 --> @apoorv569 commented on GitHub (Jan 4, 2025): > @apoorv569 as in running the Docker container generated by the PR instead of `latest` Like I have to build the docker container my self using commits from the PR? Why is your PR not merged yet? almost 1.5 years now.. what's stopping the dev from merging it? BTW can you in short tell me why this happens?
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Jan 4, 2025):

@apoorv569 no if you cjeck in the PR they build a container based on the PR, so I your docker compose you just point to that instead. Let me know if you can't find it and I'll look it out.

I'm not sure why they've not merged it yet, I think it would close lots of the open issues!

<!-- gh-comment-id:2569964737 --> @EDIflyer commented on GitHub (Jan 4, 2025): @apoorv569 no if you cjeck in the PR they build a container based on the PR, so I your docker compose you just point to that instead. Let me know if you can't find it and I'll look it out. I'm not sure why they've not merged it yet, I think it would close lots of the open issues!
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Jan 5, 2025):

Here it is:

nginxproxymanager/nginx-proxy-manager-dev:pr-3121

<!-- gh-comment-id:2571468365 --> @EDIflyer commented on GitHub (Jan 5, 2025): Here it is: `nginxproxymanager/nginx-proxy-manager-dev:pr-3121`
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Jan 9, 2025):

Here it is:

nginxproxymanager/nginx-proxy-manager-dev:pr-3121

Thanks. All my certs are up to date ATM but next time they fail to auto update I'll try out your build, which should be in March I think as its valid for 3 months IIRC.

<!-- gh-comment-id:2580392704 --> @apoorv569 commented on GitHub (Jan 9, 2025): > Here it is: > > `nginxproxymanager/nginx-proxy-manager-dev:pr-3121` Thanks. All my certs are up to date ATM but next time they fail to auto update I'll try out your build, which should be in March I think as its valid for 3 months IIRC.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@fcar12 commented on GitHub (Feb 4, 2025):

What worked for me was to temporary add a forward rule on the router to enable port 80 traffic to the website. Because apparently there were problems with the accessibility of the website from Let's Encrypt. After the refresh I turned off the forward rule to port 80 again.

The most simple and efficient solution until this is fixed with the PR! :)

<!-- gh-comment-id:2634719027 --> @fcar12 commented on GitHub (Feb 4, 2025): > What worked for me was to temporary add a forward rule on the router to enable port 80 traffic to the website. Because apparently there were problems with the accessibility of the website from Let's Encrypt. After the refresh I turned off the forward rule to port 80 again. The most simple and efficient solution until this is fixed with the PR! :)
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Mar 8, 2025):

Here it is:

nginxproxymanager/nginx-proxy-manager-dev:pr-3121

Hey, my certificates expires today and it still fails to update them. So should I continue with this version only? or do you a newer one as well?

<!-- gh-comment-id:2708277906 --> @apoorv569 commented on GitHub (Mar 8, 2025): > Here it is: > > `nginxproxymanager/nginx-proxy-manager-dev:pr-3121` Hey, my certificates expires today and it still fails to update them. So should I continue with this version only? or do you a newer one as well?
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 8, 2025):

Hi @apoorv569 i updated this a few months ago and it's still working well for me. I'll look at syncing the updates to the latest version when I've got a chance to test it'll still work for me. Even better @jc21 hopefully might merge in the PR 🤞

<!-- gh-comment-id:2708533987 --> @EDIflyer commented on GitHub (Mar 8, 2025): Hi @apoorv569 i updated this a few months ago and it's still working well for me. I'll look at syncing the updates to the latest version when I've got a chance to test it'll still work for me. Even better @jc21 hopefully might merge in the PR 🤞
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Mar 9, 2025):

Hi @apoorv569 i updated this a few months ago and it's still working well for me. I'll look at syncing the updates to the latest version when I've got a chance to test it'll still work for me. Even better @jc21 hopefully might merge in the PR 🤞

Oh cool. BTW if update to your version will I be able to go back to the official/stable tag later when it finally gets merged?

<!-- gh-comment-id:2708709892 --> @apoorv569 commented on GitHub (Mar 9, 2025): > Hi [@apoorv569](https://github.com/apoorv569) i updated this a few months ago and it's still working well for me. I'll look at syncing the updates to the latest version when I've got a chance to test it'll still work for me. Even better [@jc21](https://github.com/jc21) hopefully might merge in the PR 🤞 Oh cool. BTW if update to your version will I be able to go back to the official/stable tag later when it finally gets merged?
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 9, 2025):

AFAIK yes, my changes are tiny (you'll see them in the PR) and don't do anything database-wise, although it's always advised to back it up first!

<!-- gh-comment-id:2708716758 --> @EDIflyer commented on GitHub (Mar 9, 2025): AFAIK yes, my changes are tiny (you'll see them in the PR) and don't do anything database-wise, although it's always advised to back it up first!
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Mar 9, 2025):

AFAIK yes, my changes are tiny (you'll see them in the PR) and don't do anything database-wise, although it's always advised to back it up first!

I see. All I want to do is update my certs nothing else.

<!-- gh-comment-id:2708718613 --> @apoorv569 commented on GitHub (Mar 9, 2025): > AFAIK yes, my changes are tiny (you'll see them in the PR) and don't do anything database-wise, although it's always advised to back it up first! I see. All I want to do is update my certs nothing else.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 9, 2025):

Yep, it should do the trick - just trying to follow best practice and recommend backing up 🙂

<!-- gh-comment-id:2708719625 --> @EDIflyer commented on GitHub (Mar 9, 2025): Yep, it should do the trick - just trying to follow best practice and recommend backing up 🙂
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Mar 9, 2025):

Yep, it should do the trick - just trying to follow best practice and recommend backing up 🙂

Hey after updating to your version, I started getting this error,

app-1  | [3/9/2025] [1:57:04 PM] [Migrate  ] › ℹ  info      Current database version: 20240427161436
app-1  | [3/9/2025] [1:57:04 PM] [Global   ] › ✖  error     The migration directory is corrupt, the following files are missing: 20240427161436_stream_ssl.js Error: The migration directory is corrupt, the following files are missing: 20240427161436_stream_ssl.js
app-1  |     at validateMigrationList (/app/node_modules/knex/lib/migrations/migrate/Migrator.js:566:11)
app-1  |     at Migrator.latest (/app/node_modules/knex/lib/migrations/migrate/Migrator.js:69:7)
app-1  |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Thankfully, I was able to revert back to the image jc21/nginx-proxy-manager:latest and it worked without errors. I guess I'll update it with the hack "turning off force ssl" for now.. maybe next time the certs expires the PR would be merged by then 🤞

<!-- gh-comment-id:2708870379 --> @apoorv569 commented on GitHub (Mar 9, 2025): > Yep, it should do the trick - just trying to follow best practice and recommend backing up 🙂 Hey after updating to your version, I started getting this error, ``` app-1 | [3/9/2025] [1:57:04 PM] [Migrate ] › ℹ info Current database version: 20240427161436 app-1 | [3/9/2025] [1:57:04 PM] [Global ] › ✖ error The migration directory is corrupt, the following files are missing: 20240427161436_stream_ssl.js Error: The migration directory is corrupt, the following files are missing: 20240427161436_stream_ssl.js app-1 | at validateMigrationList (/app/node_modules/knex/lib/migrations/migrate/Migrator.js:566:11) app-1 | at Migrator.latest (/app/node_modules/knex/lib/migrations/migrate/Migrator.js:69:7) app-1 | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) ``` Thankfully, I was able to revert back to the image `jc21/nginx-proxy-manager:latest` and it worked without errors. I guess I'll update it with the hack "turning off force ssl" for now.. maybe next time the certs expires the PR would be merged by then 🤞
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 9, 2025):

@apoorv569 ah OK - were you coming from the latest public current version? I wonder if something has changed in the DB and this would have effectively been a downgrade. It looks like there have been 42 changes to the latest version of dev:
Image

Looks like some streams DB stuff in it:
Image

I'll sync to the latest and see how that goes

<!-- gh-comment-id:2708910360 --> @EDIflyer commented on GitHub (Mar 9, 2025): @apoorv569 ah OK - were you coming from the latest public current version? I wonder if something has changed in the DB and this would have effectively been a downgrade. It looks like there have been 42 changes to the latest version of dev: ![Image](https://github.com/user-attachments/assets/60528368-3f4f-4e10-8938-03080984f588) Looks like some streams DB stuff in it: ![Image](https://github.com/user-attachments/assets/cc83bf63-84c1-4b61-b97e-7229e5b32a56) I'll sync to the latest and see how that goes
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Mar 9, 2025):

@apoorv569 ah OK - were you coming from the latest public current version? I wonder if something has changed in the DB and this would have effectively been a downgrade. It looks like there have been 42 changes to the latest version of dev: Image

Looks like some streams DB stuff in it: Image

I'll sync to the latest and see how that goes

I use the :latest so whatever is the "latest" I guess.

<!-- gh-comment-id:2708912488 --> @apoorv569 commented on GitHub (Mar 9, 2025): > [@apoorv569](https://github.com/apoorv569) ah OK - were you coming from the latest public current version? I wonder if something has changed in the DB and this would have effectively been a downgrade. It looks like there have been 42 changes to the latest version of dev: ![Image](https://github.com/user-attachments/assets/60528368-3f4f-4e10-8938-03080984f588) > > Looks like some streams DB stuff in it: ![Image](https://github.com/user-attachments/assets/cc83bf63-84c1-4b61-b97e-7229e5b32a56) > > I'll sync to the latest and see how that goes I use the `:latest` so whatever is the "latest" I guess.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 9, 2025):

OK cool - I've synchronised the fork now, just waiting for the updated Docker image to be built.

<!-- gh-comment-id:2708914401 --> @EDIflyer commented on GitHub (Mar 9, 2025): OK cool - I've synchronised the fork now, just waiting for the updated Docker image to be built.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 9, 2025):

@apoorv569 FYI that's the docker image for 3121 updated now.

<!-- gh-comment-id:2708939969 --> @EDIflyer commented on GitHub (Mar 9, 2025): @apoorv569 FYI that's the docker image for 3121 updated now.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@apoorv569 commented on GitHub (Mar 9, 2025):

@apoorv569 FYI that's the docker image for 3121 updated now.

I see. Appreciate it, but all my certs are updated now, sorry I had to update them some of the services refuses to work without a good cert.

I can try to check the DB issue though if you want.

<!-- gh-comment-id:2709072544 --> @apoorv569 commented on GitHub (Mar 9, 2025): > [@apoorv569](https://github.com/apoorv569) FYI that's the docker image for 3121 updated now. I see. Appreciate it, but all my certs are updated now, sorry I had to update them some of the services refuses to work without a good cert. I can try to check the DB issue though if you want.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 9, 2025):

@apoorv569 don't worry - I've just pulled the new Docker image for one of my sites and it seemed to update to 2.12.3 fine and I managed to manually renew a cert without a prob (and without turning off SSL!) so hopefully is all good.

<!-- gh-comment-id:2709082640 --> @EDIflyer commented on GitHub (Mar 9, 2025): @apoorv569 don't worry - I've just pulled the new Docker image for one of my sites and it seemed to update to 2.12.3 fine and I managed to manually renew a cert without a prob (and without turning off SSL!) so hopefully is all good.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@MahmoudAlyuDeen commented on GitHub (Mar 16, 2025):

Certificates expired today. Time to try traefik then 🤷‍♂️

<!-- gh-comment-id:2727485426 --> @MahmoudAlyuDeen commented on GitHub (Mar 16, 2025): Certificates expired today. Time to try traefik then 🤷‍♂️
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 16, 2025):

@MahmoudAlyuDeen or feel free to try the latest version from my 3121 PR and see if that works for you 😃

<!-- gh-comment-id:2727494579 --> @EDIflyer commented on GitHub (Mar 16, 2025): @MahmoudAlyuDeen or feel free to try the latest version from my 3121 PR and see if that works for you 😃
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@bengivre commented on GitHub (Mar 23, 2025):

@MahmoudAlyuDeen or feel free to try the latest version from my 3121 PR and see if that works for you 😃

In my case, I still have to disable the "Force SSL" on my Proxy Hosts, if I want to renew manually from the UI . I did not try auto with the new version .

That would be pretty good if the process of auto-renew & from the manual "Renew now" from the admin panel" could do that on it's own.

1- disable Force SSL if enable
2- renew SSL
3- re-activate Force SSL

That would be it.

Thanks !

<!-- gh-comment-id:2746342763 --> @bengivre commented on GitHub (Mar 23, 2025): > [@MahmoudAlyuDeen](https://github.com/MahmoudAlyuDeen) or feel free to try the latest version from my 3121 PR and see if that works for you 😃 In my case, I still have to disable the "Force SSL" on my Proxy Hosts, if I want to renew manually from the UI . I did not try auto with the new version . That would be pretty good if the process of auto-renew & from the manual "Renew now" from the admin panel" could do that on it's own. 1- disable **Force SSL** if enable 2- renew SSL 3- re-activate **Force SSL** That would be it. Thanks !
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 23, 2025):

Hmm, interesting @bengivre - manual renewals as well as automatic work OK for me with the PR version.

<!-- gh-comment-id:2746346966 --> @EDIflyer commented on GitHub (Mar 23, 2025): Hmm, interesting @bengivre - manual renewals as well as automatic work OK for me with the PR version.
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@bengivre commented on GitHub (Mar 23, 2025):

Hmm, interesting @bengivre - manual renewals as well as automatic work OK for me with the PR version.

My bad, I did not use the PR version. I just upgrade to latest . That must be the problem. Sorry about that.
I'll wait they merge your PR :)

<!-- gh-comment-id:2746348051 --> @bengivre commented on GitHub (Mar 23, 2025): > Hmm, interesting [@bengivre](https://github.com/bengivre) - manual renewals as well as automatic work OK for me with the PR version. My bad, I did not use the PR version. I just upgrade to latest . That must be the problem. Sorry about that. I'll wait they merge your PR :)
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 23, 2025):

Ahh OK that makes sense (and at least confirms my PR is still required 😂) - basically all my PR does is bypass the force SSL just for the Acme certificate check. The PR is pretty up to date with the latest version so feel free to try it out (just backup the DB first just in case)

<!-- gh-comment-id:2746349432 --> @EDIflyer commented on GitHub (Mar 23, 2025): Ahh OK that makes sense (and at least confirms my PR is still required 😂) - basically all my PR does is bypass the force SSL just for the Acme certificate check. The PR is pretty up to date with the latest version so feel free to try it out (just backup the DB first just in case)
kerem commented 2026-02-26 07:33:31 +03:00
Author
Owner
Copy link

@bengivre commented on GitHub (Mar 23, 2025):

Thanks for this. Hopefully we finally get something that work as expected ;)

<!-- gh-comment-id:2746350372 --> @bengivre commented on GitHub (Mar 23, 2025): Thanks for this. Hopefully we finally get something that work as expected ;)
kerem commented 2026-02-26 07:33:32 +03:00
Author
Owner
Copy link

@virtualdj commented on GitHub (Mar 23, 2025):

Did you try to ping the maintainer to try to merge this PR?

<!-- gh-comment-id:2746366635 --> @virtualdj commented on GitHub (Mar 23, 2025): Did you try to ping the maintainer to try to merge this PR?
kerem commented 2026-02-26 07:33:32 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (Mar 23, 2025):

Did you try to ping the maintainer to try to merge this PR?

Yep, multiple times over the months (year?) 😥

<!-- gh-comment-id:2746410273 --> @EDIflyer commented on GitHub (Mar 23, 2025): > Did you try to ping the maintainer to try to merge this PR? Yep, multiple times over the months (year?) 😥
kerem commented 2026-02-26 07:33:32 +03:00
Author
Owner
Copy link

@reyo commented on GitHub (May 20, 2025):

How is still broken? Old certificates, automatic renewals works fine, but wanting to get new ones, doesn't. Do I need to run this version? jc21/nginx-proxy-manager:github-pr-3121 to get it working?

I see from the logs that the request is redirected to ssl host, but npm isn't serving on https (my domain isn't force ssl true, from the gui)

<!-- gh-comment-id:2894777351 --> @reyo commented on GitHub (May 20, 2025): How is still broken? Old certificates, automatic renewals works fine, but wanting to get new ones, doesn't. Do I need to run this version? jc21/nginx-proxy-manager:github-pr-3121 to get it working? I see from the logs that the request is redirected to ssl host, but npm isn't serving on https (my domain isn't force ssl true, from the gui)
kerem commented 2026-02-26 07:33:32 +03:00
Author
Owner
Copy link

@EDIflyer commented on GitHub (May 20, 2025):

@reyo yes - the only change I made in that PR is to allow the SSL certificate renewal to reach it's endpoint via http rather than https, it has worked for me for almost two years now (I sync it with the main branch occasionally) and my certificates renew automatically.

<!-- gh-comment-id:2894794988 --> @EDIflyer commented on GitHub (May 20, 2025): @reyo yes - the only change I made in that PR is to allow the SSL certificate renewal to reach it's endpoint via http rather than https, it has worked for me for almost two years now (I sync it with the main branch occasionally) and my certificates renew automatically.
kerem commented 2026-02-26 07:33:32 +03:00
Author
Owner
Copy link

@Silicon51 commented on GitHub (May 21, 2025):

So, there's a chance that you have my case: both piHole and NPM as docker containers.
Due to some weird behavior of DNS resolver NPM container do not have access to internet so cannot request for cert.
For me it log errors like Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')': /simple/cloudflare/
Also I have error Failed to check the reachability due to a communication error with site24x7.com nginx proxy when in version 2.12.3 I use option "Test Server Reachability" from tab SSL Certificates.
How to solve it?
add following to your NPM docker compose:

dns:
  - 172.19.0.4 <<pihole IP adress>>
  - 1.1.1.1
  - 8.8.8.8
<!-- gh-comment-id:2899527045 --> @Silicon51 commented on GitHub (May 21, 2025): So, there's a chance that you have my case: both piHole and NPM as docker containers. Due to some weird behavior of DNS resolver NPM container do not have access to internet so cannot request for cert. For me it log errors like `Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')': /simple/cloudflare/` Also I have error `Failed to check the reachability due to a communication error with site24x7.com nginx proxy` when in version 2.12.3 I use option "Test Server Reachability" from tab SSL Certificates. How to solve it? add following to your NPM docker compose: dns: - 172.19.0.4 <<pihole IP adress>> - 1.1.1.1 - 8.8.8.8
kerem commented 2026-02-26 07:33:32 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Nov 30, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3592115838 --> @github-actions[bot] commented on GitHub (Nov 30, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 07:33:32 +03:00
Author
Owner
Copy link

@localnerve commented on GitHub (Nov 30, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

👍

<!-- gh-comment-id:3592149235 --> @localnerve commented on GitHub (Nov 30, 2025): > Issue is now considered stale. If you want to keep it open, please comment 👍 👍
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#1972
No description provided.