[GH-ISSUE #3154] First time boot takes incredibly long due to chown -R "$PUID:$PGID" /opt/certbot #2137

New issue

Closed

opened 2026-02-26 07:34:11 +03:00 by kerem · 52 comments

kerem commented 2026-02-26 07:34:11 +03:00

Owner

Copy link

Originally created by @devedse on GitHub (Aug 23, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3154

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

When I start the container for the first time it's taking an incredibly long due to it setting ownership:

nginx-proxy-manager  | ❯ Configuring npm user ...
nginx-proxy-manager  | ❯ Configuring npm group ...
nginx-proxy-manager  | ❯ Checking paths ...
nginx-proxy-manager  | ❯ Setting ownership ...

I did a bit of investigation and found out it's due to this command:

chown -R "$PUID:$PGID" /opt/certbot

This code was added in this commit:
github.com/NginxProxyManager/nginx-proxy-manager@05307aa253

I ran this command myself inside the container and it took about 5 minutes to complete:

To me it feels a bit strange to have to execute this command on the /opt folder which isn't even mapped to my host system. So why not do this during the creation of the container rather then during boot?

Nginx Proxy Manager Version

2.10.4

To Reproduce
See above

Expected behavior

Boot quickly

Screenshots

N/A

Operating System

Docker inside a container on a Synology NAS

Additional context

Originally created by @devedse on GitHub (Aug 23, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3154 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** <!-- A clear and concise description of what the bug is. --> When I start the container for the first time it's taking an incredibly long due to it setting ownership: ``` nginx-proxy-manager | ❯ Configuring npm user ... nginx-proxy-manager | ❯ Configuring npm group ... nginx-proxy-manager | ❯ Checking paths ... nginx-proxy-manager | ❯ Setting ownership ... ``` I did a bit of investigation and found out it's due to this command: ``` chown -R "$PUID:$PGID" /opt/certbot ``` This code was added in this commit: https://github.com/NginxProxyManager/nginx-proxy-manager/commit/05307aa253c073cf94237fc96d816ec2919f4d7f I ran this command myself inside the container and it took about 5 minutes to complete:  To me it feels a bit strange to have to execute this command on the /opt folder which isn't even mapped to my host system. So why not do this during the creation of the container rather then during boot? **Nginx Proxy Manager Version** <!-- What version of Nginx Proxy Manager is reported on the login page? --> 2.10.4 **To Reproduce** See above **Expected behavior** <!-- A clear and concise description of what you expected to happen. --> Boot quickly **Screenshots** <!-- If applicable, add screenshots to help explain your problem. --> N/A **Operating System** <!-- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error. --> Docker inside a container on a Synology NAS **Additional context** <!-- Add any other context about the problem here, docker version, browser version, logs if applicable to the problem. Too much info is better than too little. -->

kerem 2026-02-26 07:34:11 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@Nightreaver commented on GitHub (Sep 11, 2023):

I can confirm this. Sometimes it pretty annyoing

<!-- gh-comment-id:1714259485 --> @Nightreaver commented on GitHub (Sep 11, 2023): I can confirm this. Sometimes it pretty annyoing

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@panos-stavrianos commented on GitHub (Oct 9, 2023):

Any workaround at least? 3-4 minutes downtime just to restart npm is a lot, and very annoying when changing configs and have to restart to see the results.

<!-- gh-comment-id:1752761127 --> @panos-stavrianos commented on GitHub (Oct 9, 2023): Any workaround at least? 3-4 minutes downtime just to restart npm is a lot, and very annoying when changing configs and have to restart to see the results.

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@devedse commented on GitHub (Oct 9, 2023):

I guess you could map a volume to the root fs that persists the /opt folder

<!-- gh-comment-id:1752875614 --> @devedse commented on GitHub (Oct 9, 2023): I guess you could map a volume to the root fs that persists the /opt folder

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@panos-stavrianos commented on GitHub (Oct 9, 2023):

I guess you could map a volume to the root fs that persists the /opt folder

Thanks, it worked!

<!-- gh-comment-id:1752949079 --> @panos-stavrianos commented on GitHub (Oct 9, 2023): > I guess you could map a volume to the root fs that persists the /opt folder Thanks, it worked!

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@DWRedShoes commented on GitHub (Nov 9, 2023):

I've ran into the exact same issue at startup of the docker container where the chown command (Setting Ownership) took around 25 minutes to complete and this happens every time I turn the container on.

<!-- gh-comment-id:1803498187 --> @DWRedShoes commented on GitHub (Nov 9, 2023): I've ran into the exact same issue at startup of the docker container where the chown command (Setting Ownership) took around 25 minutes to complete and this happens every time I turn the container on. 

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@anantanandgupta commented on GitHub (Jan 4, 2024):

I guess you could map a volume to the root fs that persists the /opt folder

Thanks, it worked!

How? can you please explain? I am not getting pass to the settings ownership and it simply timesout in my case. I am mounting the data and letsencrypt folder on an nfs share.

<!-- gh-comment-id:1877699026 --> @anantanandgupta commented on GitHub (Jan 4, 2024): > > I guess you could map a volume to the root fs that persists the /opt folder > > Thanks, it worked! How? can you please explain? I am not getting pass to the settings ownership and it simply timesout in my case. I am mounting the data and letsencrypt folder on an nfs share.

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@corporategoth commented on GitHub (Jan 9, 2024):

I too am hitting this issue on my TrueNAS system. How I resolve this for now.

Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas).
Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell)
Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2)
Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot
Step 5: Start the container again.

It should now be very quick to chown, because the storage is external, not copy on write.
Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again.

<!-- gh-comment-id:1883011157 --> @corporategoth commented on GitHub (Jan 9, 2024): I too am hitting this issue on my TrueNAS system. How I resolve this for now. Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas). Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell) Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2) Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot Step 5: Start the container again. It should now be very quick to chown, because the storage is external, not copy on write. Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again.

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@Lapo-Statix commented on GitHub (Feb 19, 2024):

I guess you could map a volume to the root fs that persists the /opt folder

Thanks, it worked!

@panos-stavrianos

How did you do that? I'm having the same problem running on my server, when I run it on my machine it doesn't take long. 😢

<!-- gh-comment-id:1952944043 --> @Lapo-Statix commented on GitHub (Feb 19, 2024): > > I guess you could map a volume to the root fs that persists the /opt folder > > Thanks, it worked! @panos-stavrianos How did you do that? I'm having the same problem running on my server, when I run it on my machine it doesn't take long. 😢

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@Nightreaver commented on GitHub (Feb 19, 2024):

I would guess,

run the container and wait for it to start,
use docker copy and copy the /opt from the container to a folder on your
harddisk
once this is done, stop the container
add a volume that maps the copy on your local disk to the /opt inside the
container
start the container again

Am Mo., 19. Feb. 2024 um 18:45 Uhr schrieb Lapo @.***>:

I guess you could map a volume to the root fs that persists the /opt folder

Thanks, it worked!

@panos-stavrianos https://github.com/panos-stavrianos

How did you do that? I'm having the same problem running on my server,
when I run it on my machine it doesn't take long.

—
Reply to this email directly, view it on GitHub
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3154#issuecomment-1952944043,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAY6MDHQYN3XKWID27OJX3LYUOFSHAVCNFSM6AAAAAA34FODYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJSHE2DIMBUGM
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:1952951606 --> @Nightreaver commented on GitHub (Feb 19, 2024): I would guess, run the container and wait for it to start, use docker copy and copy the /opt from the container to a folder on your harddisk once this is done, stop the container add a volume that maps the copy on your local disk to the /opt inside the container start the container again Am Mo., 19. Feb. 2024 um 18:45 Uhr schrieb Lapo ***@***.***>: > I guess you could map a volume to the root fs that persists the /opt folder > > Thanks, it worked! > > @panos-stavrianos <https://github.com/panos-stavrianos> > > How did you do that? I'm having the same problem running on my server, > when I run it on my machine it doesn't take long. > > — > Reply to this email directly, view it on GitHub > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3154#issuecomment-1952944043>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAY6MDHQYN3XKWID27OJX3LYUOFSHAVCNFSM6AAAAAA34FODYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJSHE2DIMBUGM> > . > You are receiving this because you commented.Message ID: > ***@***.***> >

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@Lapo-Statix commented on GitHub (Feb 19, 2024):

I would guess, run the container and wait for it to start, use docker copy and copy the /opt from the container to a folder on your harddisk once this is done, stop the container add a volume that maps the copy on your local disk to the /opt inside the container start the container again Am Mo., 19. Feb. 2024 um 18:45 Uhr schrieb Lapo @.>:
…
I guess you could map a volume to the root fs that persists the /opt folder Thanks, it worked! @panos-stavrianos https://github.com/panos-stavrianos How did you do that? I'm having the same problem running on my server, when I run it on my machine it doesn't take long. — Reply to this email directly, view it on GitHub <#3154 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAY6MDHQYN3XKWID27OJX3LYUOFSHAVCNFSM6AAAAAA34FODYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJSHE2DIMBUGM . You are receiving this because you commented.Message ID: @.>

@Nightreaver

Thank you!! it worked :)

<!-- gh-comment-id:1953011398 --> @Lapo-Statix commented on GitHub (Feb 19, 2024): > I would guess, run the container and wait for it to start, use docker copy and copy the /opt from the container to a folder on your harddisk once this is done, stop the container add a volume that maps the copy on your local disk to the /opt inside the container start the container again Am Mo., 19. Feb. 2024 um 18:45 Uhr schrieb Lapo ***@***.***>: > […](#) > I guess you could map a volume to the root fs that persists the /opt folder Thanks, it worked! @panos-stavrianos <https://github.com/panos-stavrianos> How did you do that? I'm having the same problem running on my server, when I run it on my machine it doesn't take long. — Reply to this email directly, view it on GitHub <[#3154 (comment)](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3154#issuecomment-1952944043)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAY6MDHQYN3XKWID27OJX3LYUOFSHAVCNFSM6AAAAAA34FODYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJSHE2DIMBUGM> . You are receiving this because you commented.Message ID: ***@***.***> @Nightreaver Thank you!! it worked :)

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@willtaylor commented on GitHub (Feb 25, 2024):

I'm having the same problem with 2.11.1 via the TrueNAS catalog chart version 1.0.27

I never seem to get past the chown before TrueNAS decides that the container is unhealthy and attempts to restart it, causing an endless loop

2024-02-25 09:32:46.464991-05:00❯ Configuring npm user ...
2024-02-25 09:36:39.192117-05:00❯ Configuring npm group ...
2024-02-25 09:36:51.272227-05:00❯ Checking paths ...
2024-02-25 09:37:09.147531-05:00❯ Setting ownership ...

2024-02-25 09:58:04.848091-05:00❯ Configuring npm user ...

I haven't tried the proposed workaround

EDIT

I was just in the console when the container was restarted and it echoed the following message to the console:
command terminated with exit code 137

<!-- gh-comment-id:1962968027 --> @willtaylor commented on GitHub (Feb 25, 2024): I'm having the same problem with 2.11.1 via the TrueNAS catalog chart version 1.0.27 I never seem to get past the chown before TrueNAS decides that the container is unhealthy and attempts to restart it, causing an endless loop ``` 2024-02-25 09:32:46.464991-05:00❯ Configuring npm user ... 2024-02-25 09:36:39.192117-05:00❯ Configuring npm group ... 2024-02-25 09:36:51.272227-05:00❯ Checking paths ... 2024-02-25 09:37:09.147531-05:00❯ Setting ownership ... ``` ``` 2024-02-25 09:58:04.848091-05:00❯ Configuring npm user ... ``` I haven't tried the proposed workaround EDIT I was just in the console when the container was restarted and it echoed the following message to the console: `command terminated with exit code 137`

kerem commented 2026-02-26 07:34:11 +03:00

Author

Owner

Copy link

@dasunsrule32 commented on GitHub (Apr 9, 2024):

Affected by this issue as well on TrueNAS SCALE 23.10.2. Same issue on the community train and installing the docker image directly as well. Takes about 10 minutes for mine to fully load.

<!-- gh-comment-id:2045498147 --> @dasunsrule32 commented on GitHub (Apr 9, 2024): Affected by this issue as well on TrueNAS SCALE 23.10.2. Same issue on the community train and installing the docker image directly as well. Takes about 10 minutes for mine to fully load.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@dasunsrule32 commented on GitHub (Apr 9, 2024):

I too am hitting this issue on my TrueNAS system. How I resolve this for now.

Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas).
Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell)
Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2)
Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot
Step 5: Start the container again.

It should now be very quick to chown, because the storage is external, not copy on write.
Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again.

So I copied the files to my HDD pool in my /data mount that mounts to npm and created a folder there called certbot and mounted a host path of /opt/certbot to /data/certbot it has the same effect. Boots in seconds now.

<!-- gh-comment-id:2045576187 --> @dasunsrule32 commented on GitHub (Apr 9, 2024): > I too am hitting this issue on my TrueNAS system. How I resolve this for now. > > Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas). > Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell) > Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2) > Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot > Step 5: Start the container again. > > It should now be very quick to chown, because the storage is external, not copy on write. > Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again. So I copied the files to my HDD pool in my `/data` mount that mounts to npm and created a folder there called `certbot` and mounted a host path of `/opt/certbot` to `/data/certbot` it has the same effect. Boots in seconds now.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Furglitch commented on GitHub (Apr 11, 2024):

So I copied the files to my HDD pool in my /data mount that mounts to npm and created a folder there called certbot and mounted a host path of /opt/certbot to /data/certbot it has the same effect. Boots in second now.

This actually really helped me out.
Working in Portainer, I just edited my stack compose.

First added the following

volumes:
  - ./data/opt:/opt/certbot-cp # command will generate the /certbot folder in /data/opt
command: 'cp -avr /opt/certbot /opt/certbot-cp'

waited for the app to output the command response (a ton of lines starting with '/opt/certbot
then changed to

volumes:
  - ./data/opt/certbot:/opt/certbot # added /certbot to host path, removed -cp from container path
# removed command setting

and restarted. npm loaded pretty much immediately, and I was able to access the admin panel.
restarted again just to make sure, and npm loaded in less than 10 seconds.

I'm still learning docker so I may not be doing it the best way, but it worked for me.

<!-- gh-comment-id:2049015318 --> @Furglitch commented on GitHub (Apr 11, 2024): > So I copied the files to my HDD pool in my `/data` mount that mounts to npm and created a folder there called `certbot` and mounted a host path of `/opt/certbot` to `/data/certbot` it has the same effect. Boots in second now. This actually really helped me out. Working in Portainer, I just edited my stack compose. First added the following ```yaml volumes: - ./data/opt:/opt/certbot-cp # command will generate the /certbot folder in /data/opt command: 'cp -avr /opt/certbot /opt/certbot-cp' ``` waited for the app to output the command response (a ton of lines starting with '/opt/certbot then changed to ```yaml volumes: - ./data/opt/certbot:/opt/certbot # added /certbot to host path, removed -cp from container path # removed command setting ``` and restarted. npm loaded pretty much immediately, and I was able to access the admin panel. restarted again just to make sure, and npm loaded in less than 10 seconds. I'm still learning docker so I may not be doing it the best way, but it worked for me.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@dasunsrule32 commented on GitHub (Apr 11, 2024):

So I copied the files to my HDD pool in my /data mount that mounts to npm and created a folder there called certbot and mounted a host path of /opt/certbot to /data/certbot it has the same effect. Boots in second now.

This actually really helped me out.
Working in Portainer, I just edited my stack compose.

First added the following

volumes:
  - ./data/opt:/opt/certbot-cp # command will generate the /certbot folder in /data/opt
command: 'cp -avr /opt/certbot /opt/certbot-cp'

waited for the app to output the command response (a ton of lines starting with '/opt/certbot
then changed to

volumes:
  - ./data/opt/certbot:/opt/certbot # added /certbot to host path, removed -cp from container path
# removed command setting

and restarted. npm loaded pretty much immediately, and I was able to access the admin panel.
restarted again just to make sure, and npm loaded in less than 10 seconds.

I'm still learning docker so I may not be doing it the best way, but it worked for me.

Yep, same thing I did, just using docker compose.

<!-- gh-comment-id:2050189818 --> @dasunsrule32 commented on GitHub (Apr 11, 2024): > > So I copied the files to my HDD pool in my `/data` mount that mounts to npm and created a folder there called `certbot` and mounted a host path of `/opt/certbot` to `/data/certbot` it has the same effect. Boots in second now. > > This actually really helped me out. > Working in Portainer, I just edited my stack compose. > > First added the following > ```yaml > volumes: > - ./data/opt:/opt/certbot-cp # command will generate the /certbot folder in /data/opt > command: 'cp -avr /opt/certbot /opt/certbot-cp' > ``` > waited for the app to output the command response (a ton of lines starting with '/opt/certbot > then changed to > ```yaml > volumes: > - ./data/opt/certbot:/opt/certbot # added /certbot to host path, removed -cp from container path > # removed command setting > ``` > and restarted. npm loaded pretty much immediately, and I was able to access the admin panel. > restarted again just to make sure, and npm loaded in less than 10 seconds. > > I'm still learning docker so I may not be doing it the best way, but it worked for me. Yep, same thing I did, just using docker compose.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@MichaelKirgus commented on GitHub (Apr 13, 2024):

I too am hitting this issue on my TrueNAS system. How I resolve this for now.
Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas).
Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell)
Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2)
Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot
Step 5: Start the container again.
It should now be very quick to chown, because the storage is external, not copy on write.
Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again.

So I copied the files to my HDD pool in my /data mount that mounts to npm and created a folder there called certbot and mounted a host path of /opt/certbot to /data/certbot it has the same effect. Boots in seconds now.

This cant be an solution, only an workaround. Its VERY anoying...at every update of the container or helm forces an downtime for over an hour...

<!-- gh-comment-id:2053791192 --> @MichaelKirgus commented on GitHub (Apr 13, 2024): > > I too am hitting this issue on my TrueNAS system. How I resolve this for now. > > Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas). > > Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell) > > Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2) > > Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot > > Step 5: Start the container again. > > It should now be very quick to chown, because the storage is external, not copy on write. > > Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again. > > So I copied the files to my HDD pool in my `/data` mount that mounts to npm and created a folder there called `certbot` and mounted a host path of `/opt/certbot` to `/data/certbot` it has the same effect. Boots in seconds now. This cant be an solution, only an workaround. Its VERY anoying...at every update of the container or helm forces an downtime for over an hour...

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@dasunsrule32 commented on GitHub (Apr 13, 2024):

I too am hitting this issue on my TrueNAS system. How I resolve this for now.
Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas).
Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell)
Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2)
Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot
Step 5: Start the container again.
It should now be very quick to chown, because the storage is external, not copy on write.
Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again.

So I copied the files to my HDD pool in my /data mount that mounts to npm and created a folder there called certbot and mounted a host path of /opt/certbot to /data/certbot it has the same effect. Boots in seconds now.

This cant be an solution, only an workaround. Its VERY anoying...at every update of the container or helm forces an downtime for over an hour...

Not a solution, just a workaround for now.

<!-- gh-comment-id:2053792073 --> @dasunsrule32 commented on GitHub (Apr 13, 2024): > > > I too am hitting this issue on my TrueNAS system. How I resolve this for now. > > > Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas). > > > Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell) > > > Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2) > > > Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot > > > Step 5: Start the container again. > > > It should now be very quick to chown, because the storage is external, not copy on write. > > > Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again. > > > > So I copied the files to my HDD pool in my `/data` mount that mounts to npm and created a folder there called `certbot` and mounted a host path of `/opt/certbot` to `/data/certbot` it has the same effect. Boots in seconds now. > > This cant be an solution, only an workaround. Its VERY anoying...at every update of the container or helm forces an downtime for over an hour... Not a solution, just a workaround for now.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@MichaelKirgus commented on GitHub (Apr 13, 2024):

I too am hitting this issue on my TrueNAS system. How I resolve this for now.
Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas).
Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell)
Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2)
Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot
Step 5: Start the container again.
It should now be very quick to chown, because the storage is external, not copy on write.
Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again.

So I copied the files to my HDD pool in my /data mount that mounts to npm and created a folder there called certbot and mounted a host path of /opt/certbot to /data/certbot it has the same effect. Boots in seconds now.

This cant be an solution, only an workaround. Its VERY anoying...at every update of the container or helm forces an downtime for over an hour...

Not a solution, just a workaround for now.

Ok, sorry if my comment was a bit salty...lets be productive:
Is there an elegant solution for this? What about executing chrown only if PUID/PGID is set or check if the first file under "/data/certbot" has the right permissions and owner and then skip it?

<!-- gh-comment-id:2053796623 --> @MichaelKirgus commented on GitHub (Apr 13, 2024): > > > > I too am hitting this issue on my TrueNAS system. How I resolve this for now. > > > > Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas). > > > > Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell) > > > > Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2) > > > > Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot > > > > Step 5: Start the container again. > > > > It should now be very quick to chown, because the storage is external, not copy on write. > > > > Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again. > > > > > > > > > So I copied the files to my HDD pool in my `/data` mount that mounts to npm and created a folder there called `certbot` and mounted a host path of `/opt/certbot` to `/data/certbot` it has the same effect. Boots in seconds now. > > > > > > This cant be an solution, only an workaround. Its VERY anoying...at every update of the container or helm forces an downtime for over an hour... > > Not a solution, just a workaround for now. Ok, sorry if my comment was a bit salty...lets be productive: Is there an elegant solution for this? What about executing chrown only if PUID/PGID is set or check if the first file under "/data/certbot" has the right permissions and owner and then skip it?

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@nintendoeats commented on GitHub (Aug 21, 2024):

Did anybody ever figure out an answer to the original question of why this is required? Could we simply...remove the offending line?....

<!-- gh-comment-id:2301078959 --> @nintendoeats commented on GitHub (Aug 21, 2024): Did anybody ever figure out an answer to the original question of why this is required? Could we simply...remove the offending line?....

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Mathpro commented on GitHub (Sep 4, 2024):

Same issue here unfortunately

<!-- gh-comment-id:2329258650 --> @Mathpro commented on GitHub (Sep 4, 2024): Same issue here unfortunately

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Dremor commented on GitHub (Sep 6, 2024):

Same here, Truenas 24.10-Beta.1.

10 to 15 minutes downtime, on an SSD array. I can imagine how frustrating it must be on a pure HDD array.

<!-- gh-comment-id:2333558447 --> @Dremor commented on GitHub (Sep 6, 2024): Same here, Truenas 24.10-Beta.1. 10 to 15 minutes downtime, on an SSD array. I can imagine how frustrating it must be on a pure HDD array.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Tsaukpaetra commented on GitHub (Sep 7, 2024):

I think instead of using a hacky workaround, perhaps the underlying issue with whatever causes certbot to complain about can be resolved? Like, if it's to make it not complain about not running as root... isn't there something with the python stuff that lets user packages to be used?

Maybe I'm just dumb but I'm baffled why this is a thing...

<!-- gh-comment-id:2336470483 --> @Tsaukpaetra commented on GitHub (Sep 7, 2024): I think instead of using a hacky workaround, perhaps the underlying issue with whatever causes certbot to complain about can be resolved? Like, if it's to make it not complain about not running as root... isn't there something with the python stuff that lets _user_ packages to be used? Maybe I'm just dumb but I'm baffled why this is a thing...

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@LexiconCode commented on GitHub (Sep 8, 2024):

Workaround add an Additional Environment Variable on Truenas 24.10-Beta.1:
S6_STAGE2_HOOK=sed -i $d /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh

<!-- gh-comment-id:2336556125 --> @LexiconCode commented on GitHub (Sep 8, 2024): Workaround add an Additional Environment Variable on Truenas 24.10-Beta.1: `S6_STAGE2_HOOK=sed -i $d /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh`

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Dremor commented on GitHub (Sep 14, 2024):

Workaround add an Additional Environment Variable on Truenas 24.10-Beta.1: S6_STAGE2_HOOK=sed -i $d /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh

That's indeed the current (sometime buggy) workaround, but that won't resolve the issue itself.

The issue was caused by going from a python user package to a system package (see commit linked in the issue), which, if I understand it well, can only be run as root unless you chown it back, which take ages.
The question is, should we really chown the whole /opt/certbot, or is it possible to do it another way, like chowning only a subset (like only the plugin directory, and only if there is a plugin installed) to reduce the time required, or, ideally, finding a better solution that the commit introducing this was trying to address.

<!-- gh-comment-id:2350969994 --> @Dremor commented on GitHub (Sep 14, 2024): > Workaround add an Additional Environment Variable on Truenas 24.10-Beta.1: `S6_STAGE2_HOOK=sed -i $d /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh` That's indeed the current (sometime buggy) workaround, but that won't resolve the issue itself. The issue was caused by going from a python user package to a system package (see commit linked in the issue), which, if I understand it well, can only be run as root unless you chown it back, which take ages. The question is, should we really chown the whole `/opt/certbot`, or is it possible to do it another way, like chowning only a subset (like only the plugin directory, and only if there is a plugin installed) to reduce the time required, or, ideally, finding a better solution that the commit introducing this was trying to address.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@skirsch commented on GitHub (Sep 23, 2024):

It's only 20 minutes startup time with HDD in a truenas array. WIth the fix, the startup time is 5 seconds.

<!-- gh-comment-id:2369782321 --> @skirsch commented on GitHub (Sep 23, 2024): It's only 20 minutes startup time with HDD in a truenas array. WIth the fix, the startup time is 5 seconds.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@dasunsrule32 commented on GitHub (Sep 29, 2024):

This happens on straight docker as well on zfs.

<!-- gh-comment-id:2381413275 --> @dasunsrule32 commented on GitHub (Sep 29, 2024): This happens on straight docker as well on zfs.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@NicolasGoeddel commented on GitHub (Nov 1, 2024):

Wow, this is annoying. I just installed it on my TrueNAS 24.10 and while I was searching for a solution and writing this text it is still setting ownershop.
I fixed it by setting UID and GID to 0 because everything in /opt/certbot belongs to root:root anyway.

<!-- gh-comment-id:2452240531 --> @NicolasGoeddel commented on GitHub (Nov 1, 2024): Wow, this is annoying. I just installed it on my TrueNAS 24.10 and while I was searching for a solution and writing this text it is still setting ownershop. I fixed it by setting UID and GID to `0` because everything in `/opt/certbot` belongs to `root:root` anyway. 

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@anakine22 commented on GitHub (Nov 1, 2024):

Wow, this is annoying. I just installed it on my TrueNAS 24.10 and while I was searching for a solution and writing this text it is still setting ownershop. I fixed it by setting UID and GID to 0 because everything in /opt/certbot belongs to root:root anyway.

I experienced the same issue, thank you for your solution!

<!-- gh-comment-id:2452322427 --> @anakine22 commented on GitHub (Nov 1, 2024): > Wow, this is annoying. I just installed it on my TrueNAS 24.10 and while I was searching for a solution and writing this text it is still setting ownershop. I fixed it by setting UID and GID to `0` because everything in `/opt/certbot` belongs to `root:root` anyway.  I experienced the same issue, thank you for your solution!

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@zibler commented on GitHub (Nov 17, 2024):

Wow, this is annoying. I just installed it on my TrueNAS 24.10 and while I was searching for a solution and writing this text it is still setting ownershop. I fixed it by setting UID and GID to 0 because everything in /opt/certbot belongs to root:root anyway.

Thank you! Finally, it starts up.

<!-- gh-comment-id:2481289867 --> @zibler commented on GitHub (Nov 17, 2024): > Wow, this is annoying. I just installed it on my TrueNAS 24.10 and while I was searching for a solution and writing this text it is still setting ownershop. I fixed it by setting UID and GID to `0` because everything in `/opt/certbot` belongs to `root:root` anyway.  Thank you! Finally, it starts up.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@lucky13820 commented on GitHub (Jan 2, 2025):

Wow, this is annoying. I just installed it on my TrueNAS 24.10 and while I was searching for a solution and writing this text it is still setting ownershop. I fixed it by setting UID and GID to 0 because everything in /opt/certbot belongs to root:root anyway.

This works perfectly, thanks！

<!-- gh-comment-id:2568502992 --> @lucky13820 commented on GitHub (Jan 2, 2025): > Wow, this is annoying. I just installed it on my TrueNAS 24.10 and while I was searching for a solution and writing this text it is still setting ownershop. I fixed it by setting UID and GID to `0` because everything in `/opt/certbot` belongs to `root:root` anyway. This works perfectly, thanks！

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@CajuCLC commented on GitHub (Jan 14, 2025):

I too am hitting this issue on my TrueNAS system. How I resolve this for now.

Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas). Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell) Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2) Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot Step 5: Start the container again.

It should now be very quick to chown, because the storage is external, not copy on write. Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again.

I just want to say thank you for this.
I am running TrueNAS 24.10 and was having the same issue, taking 5+ minutes for nginx proxy manager to start. I didn't want to change the UID and GID to run as root, so went with your recommendation. It started instantly.
I use the same pool as the apps, so there is no issues with speed (also nvme).

<!-- gh-comment-id:2589549288 --> @CajuCLC commented on GitHub (Jan 14, 2025): > I too am hitting this issue on my TrueNAS system. How I resolve this for now. > > Step 1: Create a PVC mount called /opt/certbot2 (ie. an external mount is managed by TrueNAS - this is not the same as a named mount managed by docker, from docker's perspective it's still a host mount, but it's as good as you get with truenas). Step 2: Start the container, then log into it via. shell (use heavyscript or truenas to get into the shell) Step 3: Copy everything in /opt/certbot to /opt/certbot2 (cp -a /opt/certbot/* /opt/certbot2) Step 4: Stop the container and change the PVC mount from /opt/certbot2 to /opt/certbot Step 5: Start the container again. > > It should now be very quick to chown, because the storage is external, not copy on write. Of course, this is a terrible solution, because we are now overriding the docker image for what is in /opt/certbot, so as the container updates, our /opt/certbot will not unless you remove the PVC and do the above steps again. I just want to say thank you for this. I am running TrueNAS 24.10 and was having the same issue, taking 5+ minutes for nginx proxy manager to start. I didn't want to change the UID and GID to run as root, so went with your recommendation. It started instantly. I use the same pool as the apps, so there is no issues with speed (also nvme).

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@NicolasGoeddel commented on GitHub (Jan 14, 2025):

I didn't want to change the UID and GID to run as root, so went with your recommendation. It started instantly. I use the same pool as the apps, so there is no issues with speed (also nvme).

Realistically changing the UID and GID does not harm security in any way because the container is running in its own namespace anyway.
Also: In /opt/certbot are a lot of libraries that come with the container image. Copying it and mounting it again will prevent these libraries from being updated.

<!-- gh-comment-id:2589590662 --> @NicolasGoeddel commented on GitHub (Jan 14, 2025): > I didn't want to change the UID and GID to run as root, so went with your recommendation. It started instantly. I use the same pool as the apps, so there is no issues with speed (also nvme). Realistically changing the UID and GID does not harm security in any way because the container is running in its own namespace anyway. Also: In `/opt/certbot` are a lot of libraries that come with the container image. Copying it and mounting it again will prevent these libraries from being updated.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Korkman commented on GitHub (Feb 23, 2025):

Can confirm this is annoying. A route the devs may take:

• move the directory elsewhere during build
• in entrypoint, synchronize the directory with the original location, and overwrite only modified files (rsync?)
• apply the desired uid/gid to non-matching files (again, rsync - it can be set to force specific uid/gid, so that would be one cmd)

Now if there is no volume mounted on /opt, the entire copy process would repeat on every run. To optimize for people who run with UID 0, just symlink the true location to the moved directory. So they get instant startup again.

Once there is a volume mounted on /opt, it can persist and non-root users get a much faster startup (rsync still has to stat all files to check for changes, but reading is much faster than modifying permissions).

<!-- gh-comment-id:2677163829 --> @Korkman commented on GitHub (Feb 23, 2025): Can confirm this is annoying. A route the devs may take: - move the directory elsewhere during build - in entrypoint, synchronize the directory with the original location, and overwrite only modified files (rsync?) - apply the desired uid/gid to non-matching files (again, rsync - it can be set to force specific uid/gid, so that would be one cmd) Now if there is no volume mounted on /opt, the entire copy process would repeat on every run. To optimize for people who run with UID 0, just symlink the true location to the moved directory. So they get instant startup again. Once there is a volume mounted on /opt, it can persist and non-root users get a much faster startup (rsync still has to stat all files to check for changes, but reading is much faster than modifying permissions).

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Korkman commented on GitHub (Mar 1, 2025):

Like this:

Dockerfile:

FROM docker.io/jc21/nginx-proxy-manager:latest

RUN \
	apt-get update \
	&& apt-get install -y --no-install-recommends rsync \
	&& apt-get clean \
	&& rm -rf /var/lib/apt/lists/* \
	;

RUN \
	mkdir /origin \
	&& mv /opt /origin/opt \
	;

COPY persist-permissions.sh /persist-permissions.sh
ENTRYPOINT /persist-permissions.sh

persist-permissions.sh:

#!/bin/bash

set -e

. /usr/bin/common.sh

# Create a copy of or symlink /origin/opt as /opt to speed up chown

log_info 'Synchronizing persisted permissions ...'
if ! [ -e "/opt" ]
then
	log_info '/opt does not exist'
	if [ "$PUID" = "0" ] && [ "$PGID" = "0" ]
	then
		log_info 'running as root: placing symlink ...'
		ln -s '/origin/opt' '/opt'
	else
		log_info "custom UIDs ($PUID:$PGID) => copying files for chown ..."
		cp -a '/origin/opt' '/opt'
	fi
elif [ -d "/opt" ]
then
	log_info 'rsync /opt ...'
	# NOTE: "--copy-as=$PUID:$PGID" could be used here as well but the current "chown" is very selective so we just sync the files
	rsync --recursive --links --perms --times -D --delete '/origin/opt/' '/opt/'
fi

exec /init

Strictly speaking it isn't even necessary to use rsync and pass a volume for /opt. cp /opt + find + chown finishes in seconds. But the optimum is to now pass an empty volume to /opt.

<!-- gh-comment-id:2692425673 --> @Korkman commented on GitHub (Mar 1, 2025): Like this: Dockerfile: ```dockerfile FROM docker.io/jc21/nginx-proxy-manager:latest RUN \ apt-get update \ && apt-get install -y --no-install-recommends rsync \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ ; RUN \ mkdir /origin \ && mv /opt /origin/opt \ ; COPY persist-permissions.sh /persist-permissions.sh ENTRYPOINT /persist-permissions.sh ``` persist-permissions.sh: ```bash #!/bin/bash set -e . /usr/bin/common.sh # Create a copy of or symlink /origin/opt as /opt to speed up chown log_info 'Synchronizing persisted permissions ...' if ! [ -e "/opt" ] then log_info '/opt does not exist' if [ "$PUID" = "0" ] && [ "$PGID" = "0" ] then log_info 'running as root: placing symlink ...' ln -s '/origin/opt' '/opt' else log_info "custom UIDs ($PUID:$PGID) => copying files for chown ..." cp -a '/origin/opt' '/opt' fi elif [ -d "/opt" ] then log_info 'rsync /opt ...' # NOTE: "--copy-as=$PUID:$PGID" could be used here as well but the current "chown" is very selective so we just sync the files rsync --recursive --links --perms --times -D --delete '/origin/opt/' '/opt/' fi exec /init ``` Strictly speaking it isn't even necessary to use rsync and pass a volume for /opt. cp /opt + find + chown finishes in seconds. But the optimum is to now pass an empty volume to /opt.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Korkman commented on GitHub (Mar 1, 2025):

I can transform this into a pull request if welcome

<!-- gh-comment-id:2692426018 --> @Korkman commented on GitHub (Mar 1, 2025): I can transform this into a pull request if welcome

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Tsaukpaetra commented on GitHub (Mar 26, 2025):

Can't hurt. Might as well put it up there. :)

<!-- gh-comment-id:2753472625 --> @Tsaukpaetra commented on GitHub (Mar 26, 2025): Can't hurt. Might as well put it up there. :)

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@nonamethanks commented on GitHub (Jun 29, 2025):

For me it's not just the first boot, it's every boot. It takes half a hour for this container to restart because it needs to reapply permissions every single time. How is it possible???

<!-- gh-comment-id:3017259048 --> @nonamethanks commented on GitHub (Jun 29, 2025): For me it's not just the first boot, it's every boot. It takes half a hour for this container to restart because it needs to reapply permissions every single time. How is it possible???

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@zibler commented on GitHub (Jul 2, 2025):

Hello there,

I just ran into this issue. I pulled the latest version of the container and then everything stopped working. The container is stuck now in "setting ownership". I am not quite sure why it worked before?

I have been trying to get this working. I have waited 30 minutes to see if the container will finally boot up and nothing. I have tried setting the UID and GID to 0 and nothing either. I also tried setting the S6_STAGE2_HOOK environment variable and nothing. I know I can technically mount a volume and copy the contents of opt/certbot, but I don't really want to do that to avoid update issues in the future.

Any pointers or hints you could provide? I would greatly appreciate it.

<!-- gh-comment-id:3026068116 --> @zibler commented on GitHub (Jul 2, 2025): Hello there, I just ran into this issue. I pulled the latest version of the container and then everything stopped working. The container is stuck now in "setting ownership". I am not quite sure why it worked before? I have been trying to get this working. I have waited 30 minutes to see if the container will finally boot up and nothing. I have tried setting the UID and GID to 0 and nothing either. I also tried setting the S6_STAGE2_HOOK environment variable and nothing. I know I can technically mount a volume and copy the contents of opt/certbot, but I don't really want to do that to avoid update issues in the future. Any pointers or hints you could provide? I would greatly appreciate it.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@zibler commented on GitHub (Jul 2, 2025):

Hello there,

I just ran into this issue. I pulled the latest version of the container and then everything stopped working. The container is stuck now in "setting ownership". I am not quite sure why it worked before?

I have been trying to get this working. I have waited 30 minutes to see if the container will finally boot up and nothing. I have tried setting the UID and GID to 0 and nothing either. I also tried setting the S6_STAGE2_HOOK environment variable and nothing. I know I can technically mount a volume and copy the contents of opt/certbot, but I don't really want to do that to avoid update issues in the future.

Any pointers or hints you could provide? I would greatly appreciate it.

Forgot to mention. I am running this on ZFS on an SSD drive.

<!-- gh-comment-id:3026081746 --> @zibler commented on GitHub (Jul 2, 2025): > Hello there, > > I just ran into this issue. I pulled the latest version of the container and then everything stopped working. The container is stuck now in "setting ownership". I am not quite sure why it worked before? > > I have been trying to get this working. I have waited 30 minutes to see if the container will finally boot up and nothing. I have tried setting the UID and GID to 0 and nothing either. I also tried setting the S6_STAGE2_HOOK environment variable and nothing. I know I can technically mount a volume and copy the contents of opt/certbot, but I don't really want to do that to avoid update issues in the future. > > Any pointers or hints you could provide? I would greatly appreciate it. Forgot to mention. I am running this on ZFS on an SSD drive.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@zibler commented on GitHub (Jul 2, 2025):

Just noticed something. I experienced the issue with version 2.12.4. Decided to go back to version 2.12.3 and the container booted up right away. Don't know why, but I am sticking with this version for now

<!-- gh-comment-id:3026096488 --> @zibler commented on GitHub (Jul 2, 2025): Just noticed something. I experienced the issue with version 2.12.4. Decided to go back to version 2.12.3 and the container booted up right away. Don't know why, but I am sticking with this version for now

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@phyco1991 commented on GitHub (Jul 2, 2025):

Yep definitely an issue in 2.12.4
I was getting "/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh: line 41: syntax error: unexpected end of file" in the npm logs
After removing the S6_STAGE2_HOOK environment variable in Truenas I got stuck on "setting ownership" but as soon as I rolled back to 2.12.3 all worked immediately.

<!-- gh-comment-id:3027315133 --> @phyco1991 commented on GitHub (Jul 2, 2025): Yep definitely an issue in 2.12.4 I was getting "/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh: line 41: syntax error: unexpected end of file" in the npm logs After removing the S6_STAGE2_HOOK environment variable in Truenas I got stuck on "setting ownership" but as soon as I rolled back to 2.12.3 all worked immediately.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@daiv92 commented on GitHub (Jul 3, 2025):

Also updated to 2.12.4 and got stuck setting ownership - reverted to 2.12.3 and it's fine

<!-- gh-comment-id:3031739829 --> @daiv92 commented on GitHub (Jul 3, 2025): Also updated to 2.12.4 and got stuck setting ownership - reverted to 2.12.3 and it's fine

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@gquittet commented on GitHub (Jul 3, 2025):

Same issue on my side with 2.12.4 and ownership.
Rollback to 2.12.3 fixed the issue.

<!-- gh-comment-id:3032331346 --> @gquittet commented on GitHub (Jul 3, 2025): Same issue on my side with 2.12.4 and ownership. Rollback to 2.12.3 fixed the issue.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@focustense commented on GitHub (Jul 6, 2025):

This issue doesn't appear to be closed (yet?), but in searching for why the sed hook stopped working in 2.12.4, I saw that the 30-ownership script has been set to add a marker file that skips all subsequent runs after the first one (unless certbot data is updated, I guess, which makes sense). So the expected behavior after removing the S6_STAGE2_HOOK would be for one slow start followed by fast starts afterward.

Thought I'd mention this for anyone else stumbling onto the issue. I'm currently rolled back to 2.12.3 because there are some other bug reports and I'd rather wait 'til everyone agrees it's stabilized before updating again, but afterward it should be OK to remove the hook, and just be patient on the first startup.

<!-- gh-comment-id:3040606733 --> @focustense commented on GitHub (Jul 6, 2025): This issue doesn't appear to be closed (yet?), but in searching for why the sed hook stopped working in 2.12.4, I saw that the `30-ownership` script has been set to add a marker file that skips all subsequent runs after the first one (unless certbot data is updated, I guess, which makes sense). So the expected behavior after removing the `S6_STAGE2_HOOK` would be for one slow start followed by fast starts afterward. Thought I'd mention this for anyone else stumbling onto the issue. I'm currently rolled back to 2.12.3 because there are some other bug reports and I'd rather wait 'til everyone agrees it's stabilized before updating again, but afterward it should be OK to remove the hook, and just be patient on the first startup.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Mr-Newlove commented on GitHub (Jul 6, 2025):

updated to 2.12.4 and this started happening again to me, tried to roll back to 2.12.3 and it is still stuck for me.

both versions now:

2025-07-06 06:25:51.420925+00:00❯ Configuring npm user ...
2025-07-06 06:25:52.847536+00:00useradd warning: npm's uid 0 outside of the UID_MIN 1000 and UID_MAX 60000 range.
2025-07-06 06:25:53.942062+00:00❯ Configuring npm group ...
2025-07-06 06:25:54.137136+00:00❯ Checking paths ...
2025-07-06 06:25:54.458573+00:00❯ Setting ownership ...

Even after rolling back snapshots etc... stuck here, at least I assume this is the same issue

<!-- gh-comment-id:3040995272 --> @Mr-Newlove commented on GitHub (Jul 6, 2025): updated to 2.12.4 and this started happening again to me, tried to roll back to 2.12.3 and it is still stuck for me. both versions now: ``` 2025-07-06 06:25:51.420925+00:00❯ Configuring npm user ... 2025-07-06 06:25:52.847536+00:00useradd warning: npm's uid 0 outside of the UID_MIN 1000 and UID_MAX 60000 range. 2025-07-06 06:25:53.942062+00:00❯ Configuring npm group ... 2025-07-06 06:25:54.137136+00:00❯ Checking paths ... 2025-07-06 06:25:54.458573+00:00❯ Setting ownership ... ``` Even after rolling back snapshots etc... stuck here, at least I assume this is the same issue

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@NicolasGoeddel commented on GitHub (Jul 6, 2025):

Oh no. It is doing it again. What a bullshit. I guess I must remove the whole app and replace it with something better, e.g. traefik or something like that.

<!-- gh-comment-id:3041308723 --> @NicolasGoeddel commented on GitHub (Jul 6, 2025): Oh no. It is doing it again. What a bullshit. I guess I must remove the whole app and replace it with something better, e.g. traefik or something like that.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Nightreaver commented on GitHub (Jul 6, 2025):

Oh no. It is doing it again. What a bullshit. I guess I must remove the whole app and replace it with something better, e.g. traefik or something like that.

Do it! Or just do something yourself, then you can do it better....

I didnt have issues since I just mounted /opt month ago

<!-- gh-comment-id:3041455708 --> @Nightreaver commented on GitHub (Jul 6, 2025): > Oh no. It is doing it again. What a bullshit. I guess I must remove the whole app and replace it with something better, e.g. traefik or something like that. Do it! Or just do something yourself, then you can do it better.... I didnt have issues since I just mounted /opt month ago

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@NicolasGoeddel commented on GitHub (Jul 6, 2025):

I didnt have issues since I just mounted /opt month ago

Which is not a proper solution. This way everything in /opt will not be updated.

I also fixed the issue months ago by changing UID and GID. It makes no sense that it starts chown-ing it again now. It's just wrong to do that in the starting process. It must be fixed.

<!-- gh-comment-id:3041483627 --> @NicolasGoeddel commented on GitHub (Jul 6, 2025): > I didnt have issues since I just mounted /opt month ago Which is not a proper solution. This way everything in /opt will not be updated. I also fixed the issue months ago by changing UID and GID. It makes no sense that it starts `chown`-ing it again now. It's just wrong to do that in the starting process. It must be fixed.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@focustense commented on GitHub (Jul 6, 2025):

Let's be fair here, it is not NPM's fault that opt/certbot has almost 8000 small files. That's how it arrives out of the gate when installing certbot on debian. Nor is it NPM's fault that whenever the container is rebuilt, /opt/certbot reverts to default ownership and has to be chowned again to work for non-root users; that's just how Docker works, all Docker builds with proper non-root support need some logic to fix ownership, they just usually don't have so many files to update.

I think devs did the right thing in 2.12.4 to (a) only process directories that don't already have the correct ownership and (b) skip the ownership step after the first successful pass. So just let it run for a few minutes the first time, don't be impatient.

Though if I may make a suggestion, a common trick for chown/chmod-ing a large number of files/directories is to do it in parallel, using GNU parallel or xargs -p. There might be a few degenerate cases where that doesn't help or even makes things a tad slower (i.e. single-core, single slow mechanical disk) but most people are probably running this in an environment with core capacity and spindles to spare (or on an SSD).

Another possibility to ease the pain would be allowing us to disable certbot/letsencrypt entirely, either as an environment variable or as a trimmed-down docker build. Some of us don't use it, I personally have a third-party wildcard cert.

<!-- gh-comment-id:3042755524 --> @focustense commented on GitHub (Jul 6, 2025): Let's be fair here, it is not NPM's fault that `opt/certbot` has almost 8000 small files. That's how it arrives out of the gate when installing certbot on debian. Nor is it NPM's fault that whenever the container is rebuilt, `/opt/certbot` reverts to default ownership and has to be `chown`ed again to work for non-root users; that's just how Docker works, all Docker builds with proper non-root support need some logic to fix ownership, they just usually don't have so many files to update. I think devs did the right thing in 2.12.4 to (a) only process directories that don't already have the correct ownership and (b) skip the ownership step after the first successful pass. So just let it run for a few minutes the first time, don't be impatient. Though if I may make a suggestion, a common trick for `chown`/`chmod`-ing a large number of files/directories is to do it in parallel, using GNU `parallel` or `xargs -p`. There might be a few degenerate cases where that doesn't help or even makes things a tad slower (i.e. single-core, single slow mechanical disk) but most people are probably running this in an environment with core capacity and spindles to spare (or on an SSD). Another possibility to ease the pain would be allowing us to disable certbot/letsencrypt entirely, either as an environment variable or as a trimmed-down docker build. Some of us don't use it, I personally have a third-party wildcard cert.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@edlman commented on GitHub (Jul 8, 2025):

I'm not sure from since the startup script /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh of HA changed, so the original S6_STAGE2_HOOK doesn't work anymore. Original hook (I used) removed the last line of the script which was chown -R $UID:$GID /opt/certbot, but now it's end of condition fi. Removing this line will break up the script and you end up with "/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh: line 41: syntax error: unexpected end of file".
I removed the hook and NPM started for almost 2 hours (on SSD disks!!!!!!!)
So I checked the changes in 30-ownership.sh script to find out it's checking existence of /opt/certbot/.ownership_initialized. If this file exists (created later in the sctript), the ownership is not modified.
So the solution is to use S6_STAGE2_HOOK with value touch /opt/certbot/.ownership_initialized. It will skip all the chown calls.

<!-- gh-comment-id:3047991783 --> @edlman commented on GitHub (Jul 8, 2025): I'm not sure from since the startup script /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh of HA changed, so the original S6_STAGE2_HOOK doesn't work anymore. Original hook (I used) removed the last line of the script which was `chown -R $UID:$GID /opt/certbot`, but now it's end of condition `fi`. Removing this line will break up the script and you end up with "/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh: line 41: syntax error: unexpected end of file". I removed the hook and NPM started for almost 2 hours (on SSD disks!!!!!!!) So I checked the changes in 30-ownership.sh script to find out it's checking existence of `/opt/certbot/.ownership_initialized`. If this file exists (created later in the sctript), the ownership is not modified. _So the solution is to use_ **S6_STAGE2_HOOK** with value `touch /opt/certbot/.ownership_initialized`. It will skip all the `chown` calls.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Leonid-Perkin commented on GitHub (Jul 9, 2025):

Я не уверен, так как скрипт запуска /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh HA изменился, поэтому оригинальный S6_STAGE2_HOOK больше не работает. Оригинальный хук (который я использовал) удалил последнюю строку скрипта, которая была chown -R $UID:$GID /opt/certbot, но теперь это конец условия fi. Удаление этой строки разрушит скрипт, и вы получите "/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh: строка 41: синтаксическая ошибка: неожиданный конец файла". Я удалил хук, и NPM запустился почти на 2 часа (на SSD-дисках!!!!!!!) Поэтому я проверил изменения в скрипте 30-ownership.sh, чтобы узнать, что он проверяет существование /opt/certbot/.ownership_initialized. Если этот файл существует (создан позже в скрипте), владение не изменено. _Поэтому решение заключается в использовании _ S6_STAGE2_HOOK со значением touch /opt/certbot/.ownership_initialized. Он пропустит все chownвызовы.

It really works!
Deployment is almost instant, even on very slow hardware.

<!-- gh-comment-id:3050991455 --> @Leonid-Perkin commented on GitHub (Jul 9, 2025): > Я не уверен, так как скрипт запуска /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh HA изменился, поэтому оригинальный S6_STAGE2_HOOK больше не работает. Оригинальный хук (который я использовал) удалил последнюю строку скрипта, которая была `chown -R $UID:$GID /opt/certbot`, но теперь это конец условия `fi`. Удаление этой строки разрушит скрипт, и вы получите "/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh: строка 41: синтаксическая ошибка: неожиданный конец файла". Я удалил хук, и NPM запустился почти на 2 часа (на SSD-дисках!!!!!!!) Поэтому я проверил изменения в скрипте 30-ownership.sh, чтобы узнать, что он проверяет существование `/opt/certbot/.ownership_initialized`. Если этот файл существует (создан позже в скрипте), владение не изменено. _Поэтому решение заключается в использовании _ **S6_STAGE2_HOOK** со значением `touch /opt/certbot/.ownership_initialized`. Он пропустит все `chown`вызовы. It really works! Deployment is almost instant, even on very slow hardware.

kerem commented 2026-02-26 07:34:12 +03:00

Author

Owner

Copy link

@Dankitymao commented on GitHub (Jul 10, 2025):

As of June 9, 2025, an update to 30-ownership.sh now checks for the presence of an environment variable "SKIP_CERTBOT_OWNERSHIP"; if true, it skips the ownership settings for Certbot files, which is the part causing the delay. Tested with this environment variable set and it starts immediately again.

<!-- gh-comment-id:3058924875 --> @Dankitymao commented on GitHub (Jul 10, 2025): As of June 9, 2025, an update to 30-ownership.sh now checks for the presence of an environment variable "SKIP_CERTBOT_OWNERSHIP"; if true, it skips the ownership settings for Certbot files, which is the part causing the delay. Tested with this environment variable set and it starts immediately again.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2137

No description provided.