starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #3103] Certbot issues with DNS challenges #2102

New issue
Closed
opened 2026-02-26 07:34:02 +03:00 by kerem · 9 comments
kerem commented 2026-02-26 07:34:02 +03:00
Owner
Copy link

Originally created by @GDowning14 on GitHub (Aug 6, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3103

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    Yes
  • Are you sure you're not using someone else's docker image?
    Yes
  • Have you searched for similar issues (both open and closed)?
    Yes

Describe the bug
Certbot certificate renewal when using DNS challenge for GoDaddy fails with the following error:

ImportError: cannot import name 'ClientBase' from 'acme.client'

The entire stack trace is:
Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --agree-tos --email "myemail@mydomain" --domains "my.domain" --authenticator dns-godaddy --dns-godaddy-credentials "/etc/letsencrypt/credentials/credentials-1"
Traceback (most recent call last):
File "/usr/bin/certbot", line 5, in
from certbot.main import main
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 28, in
from certbot import crypto_util
File "/opt/certbot/lib/python3.7/site-packages/certbot/crypto_util.py", line 42, in
from certbot import interfaces
File "/opt/certbot/lib/python3.7/site-packages/certbot/interfaces.py", line 21, in
from acme.client import ClientBase
ImportError: cannot import name 'ClientBase' from 'acme.client' (/opt/certbot/lib/python3.7/site-packages/acme/client.py)

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)

Nginx Proxy Manager Version
2.10.4

To Reproduce
Steps to reproduce the behavior:

  1. Go to '](https://nginxproxymanager.com/guide/#hosting-your-home-network)'
  2. Follow steps as describe
  3. Nginx Proxy Manager comntainer is created, starts, and login is accessible at port 81.
  4. Navigate to SSL Certificates tab and click on Add SSL Certificate
  5. Fill in form, selecting DNS Challenge, GoDaddy Provider, and provide Key and Secret
  6. Click submit
  7. Receive error

Expected behavior
Expected to receive a Let's Encrypt certificate for my domain

Screenshots

Operating System
Raspberry PI OS 64-bit on RPi 4 model B 8GB. (Debian 11.7 for arm64)

Additional context
I have another instance of NPM (release 2.10.2) running on an amd64 host (Linux Mint LMDE 5 - Debian 11.2). This instance has been running for a couple of years now with no issues. I am attempting to move NPM from the LMDE host to a RPI host. I also tried pulling the 2.10.2 version that is running fine on LMDE and bring it up on the RPI but received a different error (below).

Both the issue with 2.10.4 above, and the issue with 2.10.2 below appear to be issues with Certbot. I did find posts that seem to indicate that the version of Certbot packaged with these release is somewhat dated. Are there known issues with Certbot on RPI?

** Error noted with NPM 2.10.2 on RPi 4 B 8GB - Debian 11.7 ARM64
Error: Command failed: . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-godaddy~=0.2.0 && deactivate
ERROR: Will not install to the user site because it will lack sys.path precedence to certbot in /opt/certbot/lib/python3.7/site-packages

[notice] A new release of pip is available: 23.0.1 -> 23.2.1
[notice] To update, run: pip install --upgrade pip

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Socket. (node:internal/child_process:458:11)
at Socket.emit (node:events:513:28)
at Pipe. (node:net:301:12)
Originally created by @GDowning14 on GitHub (Aug 6, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3103 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? Yes - Are you sure you're not using someone else's docker image? Yes - Have you searched for similar issues (both open and closed)? Yes **Describe the bug** Certbot certificate renewal when using DNS challenge for GoDaddy fails with the following error: ImportError: cannot import name 'ClientBase' from 'acme.client' The entire stack trace is: Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --agree-tos --email "myemail@mydomain" --domains "my.domain" --authenticator dns-godaddy --dns-godaddy-credentials "/etc/letsencrypt/credentials/credentials-1" Traceback (most recent call last): File "/usr/bin/certbot", line 5, in from certbot.main import main File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 6, in from certbot._internal import main as internal_main File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 28, in from certbot import crypto_util File "/opt/certbot/lib/python3.7/site-packages/certbot/crypto_util.py", line 42, in from certbot import interfaces File "/opt/certbot/lib/python3.7/site-packages/certbot/interfaces.py", line 21, in from acme.client import ClientBase ImportError: cannot import name 'ClientBase' from 'acme.client' (/opt/certbot/lib/python3.7/site-packages/acme/client.py) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) **Nginx Proxy Manager Version** 2.10.4 **To Reproduce** Steps to reproduce the behavior: 1. Go to '](https://nginxproxymanager.com/guide/#hosting-your-home-network)' 2. Follow steps as describe 3. Nginx Proxy Manager comntainer is created, starts, and login is accessible at port 81. 4. Navigate to SSL Certificates tab and click on Add SSL Certificate 5. Fill in form, selecting DNS Challenge, GoDaddy Provider, and provide Key and Secret 6. Click submit 7. Receive error **Expected behavior** Expected to receive a Let's Encrypt certificate for my domain **Screenshots** <!-- If applicable, add screenshots to help explain your problem. --> **Operating System** Raspberry PI OS 64-bit on RPi 4 model B 8GB. (Debian 11.7 for arm64) **Additional context** I have another instance of NPM (release 2.10.2) running on an amd64 host (Linux Mint LMDE 5 - Debian 11.2). This instance has been running for a couple of years now with no issues. I am attempting to move NPM from the LMDE host to a RPI host. I also tried pulling the 2.10.2 version that is running fine on LMDE and bring it up on the RPI but received a different error (below). Both the issue with 2.10.4 above, and the issue with 2.10.2 below appear to be issues with Certbot. I did find posts that seem to indicate that the version of Certbot packaged with these release is somewhat dated. Are there known issues with Certbot on RPI? ** Error noted with NPM 2.10.2 on RPi 4 B 8GB - Debian 11.7 ARM64 Error: Command failed: . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-godaddy~=0.2.0 && deactivate ERROR: Will not install to the user site because it will lack sys.path precedence to certbot in /opt/certbot/lib/python3.7/site-packages [notice] A new release of pip is available: 23.0.1 -> 23.2.1 [notice] To update, run: pip install --upgrade pip at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Socket. (node:internal/child_process:458:11) at Socket.emit (node:events:513:28) at Pipe. (node:net:301:12)
kerem 2026-02-26 07:34:02 +03:00
  • closed this issue
  • added the
    stale
    bug
         labels
kerem commented 2026-02-26 07:34:02 +03:00
Author
Owner
Copy link

@tiiraluoto commented on GitHub (Aug 7, 2023):

Same problem here with ClouDNS. The output I get is the same as yours but I have this at the end of it:
`ImportError: cannot import name 'ClientBase' from 'acme.client' (/opt/certbot/lib/python3.7/site-packages/acme/client.py)

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)`
<!-- gh-comment-id:1668706442 --> @tiiraluoto commented on GitHub (Aug 7, 2023): Same problem here with ClouDNS. The output I get is the same as yours but I have this at the end of it: `ImportError: cannot import name 'ClientBase' from 'acme.client' (/opt/certbot/lib/python3.7/site-packages/acme/client.py) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)`
kerem commented 2026-02-26 07:34:02 +03:00
Author
Owner
Copy link

@Atredies commented on GitHub (Aug 15, 2023):

Same issue here with Route53. I get the same error.

Failed to renew certificate npm-2 with error: Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Additionally I've seen that the CPU gets overloaded on my sever since it's spawning multiple processes for:

node --abort_on_uncaught_exception --max_old_space_size=250 index.js

It's also really weird, as long as I don't touch the web interface or try to renew the certificates or anything like that, the nginx part works just fine and the applications are online and working.

<!-- gh-comment-id:1679465627 --> @Atredies commented on GitHub (Aug 15, 2023): Same issue here with Route53. I get the same error. ``` Failed to renew certificate npm-2 with error: Unable to locate credentials To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-2/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) ``` Additionally I've seen that the CPU gets overloaded on my sever since it's spawning multiple processes for: ``` node --abort_on_uncaught_exception --max_old_space_size=250 index.js ``` It's also really weird, as long as I don't touch the web interface or try to renew the certificates or anything like that, the nginx part works just fine and the applications are online and working.
kerem commented 2026-02-26 07:34:02 +03:00
Author
Owner
Copy link

@GDowning14 commented on GitHub (Aug 16, 2023):

UPDATE:
It appears this is a version/dependency issue - perhaps in the docker-nginx-full base docker image? Opening a shell into the container and running the certbot functions from the command line also reports the same errors as noted in the NPM certificates window. A 'pip list' shows the following Python packages installed:

Package             Version
------------------- ---------
acme                2.6.0
certbot             1.32.0
certbot-dns-godaddy 0.2.4

Version 2.6.0 of the "acme" package appears to require a more recent version of the "certbot" packages.

After running

pip install --upgrade certbot certbot-dns-godaddy

the "pip list" now shows

Package             Version
------------------- ---------
acme                2.6.0
certbot             2.6.0
certbot-dns-godaddy 2.6.0

Running certbot from the command line now succeeds and no errors are reported.

Unfortunately, this does not seem to resolve the original problem. When again attempting to obtain a certificate via NPM, the same error is reported. Using the shell and "pip list" shows that the certbot package upgrades have been reverted and are back to the original, incompatible, versions.

Being an enterprise developer, I am new to both Python and Docker and am unable to determine how/why this downgrade is happening when using NPM to launch the certbot scripts.

<!-- gh-comment-id:1680734583 --> @GDowning14 commented on GitHub (Aug 16, 2023): UPDATE: It appears this is a version/dependency issue - perhaps in the docker-nginx-full base docker image? Opening a shell into the container and running the certbot functions from the command line also reports the same errors as noted in the NPM certificates window. A 'pip list' shows the following Python packages installed: ``` Package Version ------------------- --------- acme 2.6.0 certbot 1.32.0 certbot-dns-godaddy 0.2.4 ``` Version 2.6.0 of the "acme" package appears to require a more recent version of the "certbot" packages. After running ```shell pip install --upgrade certbot certbot-dns-godaddy ``` the "pip list" now shows ``` Package Version ------------------- --------- acme 2.6.0 certbot 2.6.0 certbot-dns-godaddy 2.6.0 ``` Running certbot from the command line now succeeds and no errors are reported. Unfortunately, this does not seem to resolve the original problem. When again attempting to obtain a certificate via NPM, the same error is reported. Using the shell and "pip list" shows that the certbot package upgrades have been reverted and are back to the original, incompatible, versions. Being an enterprise developer, I am new to both Python and Docker and am unable to determine how/why this downgrade is happening when using NPM to launch the certbot scripts.
kerem commented 2026-02-26 07:34:02 +03:00
Author
Owner
Copy link

@GDowning14 commented on GitHub (Aug 21, 2023):

The following resolved the issue for me. Use the docker shell, updated /app/global/certbot-dns-providers.js to set the required version of "certbot-dns-godaddy" to "~=2.6.0".
Submitted pull request #3147

<!-- gh-comment-id:1686519852 --> @GDowning14 commented on GitHub (Aug 21, 2023): The following resolved the issue for me. Use the docker shell, updated /app/global/certbot-dns-providers.js to set the required version of "certbot-dns-godaddy" to "~=2.6.0". Submitted pull request #3147
kerem commented 2026-02-26 07:34:03 +03:00
Author
Owner
Copy link

@jerimiah797 commented on GitHub (Nov 19, 2023):

I resolved all this by combining several steps I saw in this (and other) threads to build the latest certbot/acme in the docker container. I'm now running with everything on 'latest', and did not have to change the godaddy version anywhere. :-)

Shell into your nginx docker container as root. I used portainer so it was very simple.
Install dependencies:

apt update
apt install python3-dev libffi-dev pkg-config libssl-dev

Install Rust - the apt version of rustc is too old (1.41.1, >1.56.0 is required)

curl https://sh.rustup.rs -sSf | sh
source "$HOME/.cargo/env"

Activate python venv
source /opt/certbot/bin/activate

Build and install certbot/acme

pip install certbot
pip install acme
pip install certbot-dns-godaddy

After all this, I still got an error trying to renew my godaddy domain. Evidently it now requires domain validation. If you see this problem in the logs, go to your DNS settings at the GoDaddy website and add a TXT entry called _acme-challenge and put the key that you see in the error log as the value. Then the DNS challenge will succeed.

<!-- gh-comment-id:1818015279 --> @jerimiah797 commented on GitHub (Nov 19, 2023): I resolved all this by combining several steps I saw in this (and other) threads to build the latest certbot/acme in the docker container. I'm now running with everything on 'latest', and did not have to change the godaddy version anywhere. :-) Shell into your nginx docker container as root. I used portainer so it was very simple. Install dependencies: ``` apt update apt install python3-dev libffi-dev pkg-config libssl-dev ``` Install Rust - the apt version of rustc is too old (1.41.1, >1.56.0 is required) ``` curl https://sh.rustup.rs -sSf | sh source "$HOME/.cargo/env" ``` Activate python venv `source /opt/certbot/bin/activate` Build and install certbot/acme ``` pip install certbot pip install acme pip install certbot-dns-godaddy ``` After all this, I still got an error trying to renew my godaddy domain. Evidently it now requires domain validation. If you see this problem in the logs, go to your DNS settings at the GoDaddy website and add a TXT entry called `_acme-challenge` and put the key that you see in the error log as the value. Then the DNS challenge will succeed.
kerem commented 2026-02-26 07:34:03 +03:00
Author
Owner
Copy link

@djmixman commented on GitHub (Nov 26, 2023):

Add another one for ClouDNS. Was trying to setup NPM for the first time and ran into this problem.

Same problem here with ClouDNS. The output I get is the same as yours but I have this at the end of it: `ImportError: cannot import name 'ClientBase' from 'acme.client' (/opt/certbot/lib/python3.7/site-packages/acme/client.py)

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)`
<!-- gh-comment-id:1826816143 --> @djmixman commented on GitHub (Nov 26, 2023): Add another one for ClouDNS. Was trying to setup NPM for the first time and ran into this problem. > Same problem here with ClouDNS. The output I get is the same as yours but I have this at the end of it: `ImportError: cannot import name 'ClientBase' from 'acme.client' (/opt/certbot/lib/python3.7/site-packages/acme/client.py) > > ``` > at ChildProcess.exithandler (node:child_process:402:12) > at ChildProcess.emit (node:events:513:28) > at maybeClose (node:internal/child_process:1100:16) > at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)` > ```
kerem commented 2026-02-26 07:34:03 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Jun 2, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2143663595 --> @github-actions[bot] commented on GitHub (Jun 2, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 07:34:03 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Jun 6, 2025):

Issue was closed due to inactivity.

<!-- gh-comment-id:2947820243 --> @github-actions[bot] commented on GitHub (Jun 6, 2025): Issue was closed due to inactivity.
kerem commented 2026-02-26 07:34:03 +03:00
Author
Owner
Copy link

@zackfuchtel commented on GitHub (Sep 8, 2025):

My personal solution, one on a proxmox 9.x, one in NginxProxyManager:

pip install dnspython

<!-- gh-comment-id:3265379759 --> @zackfuchtel commented on GitHub (Sep 8, 2025): My personal solution, one on a proxmox 9.x, one in NginxProxyManager: `pip install dnspython`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#2102
No description provided.