[GH-ISSUE #3324] SSL Internal Error on request a new SSL certificate #2238

New issue

Open

opened 2026-02-26 07:34:38 +03:00 by kerem · 74 comments

kerem commented 2026-02-26 07:34:38 +03:00

Owner

Copy link

Originally created by @DaYroXy on GitHub (Nov 15, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
When trying to request a a new SSL Certifcate i get internal error

Nginx Proxy Manager Version
v2.10.4

To Reproduce
Steps to reproduce the behavior:

1. Go to Hosts
2. Click on Add Proxy Host
3. Click on SSL
4. SSL Certificate > Request a new SSL Certificate
5. Save > Internal Error

Screenshots

Operating System
Ubuntu 20.04 - 64bit, running Portainer v2.19.2

Additional context
Cloudflare (NO PROXY):
A => dayroxy.online => ip
CNAMe => * => dayroxy.online

`
2023-11-15 05:51:29,337:DEBUG:acme.client:Storing nonce: GEqhmX18EBYehAoQEeHOv-lemRWL1u8IRLnVc7o6fKR1jTTNhtU
2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:Challenge failed for domain portainer.dayroxy.online
2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:http-01 challenge for portainer.dayroxy.online
2023-11-15 05:51:29,338:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: portainer.dayroxy.online
Type: connection
Detail: 87.237.52.121: Fetching http://portainer.dayroxy.online/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk: Connection reset by peer

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-15 05:51:29,339:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk
2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-11-15 05:51:29,340:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1597, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-11-15 05:51:29,341:ERROR:certbot._internal.log:Some challenges have failed.
`

Originally created by @DaYroXy on GitHub (Nov 15, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** When trying to request a a new SSL Certifcate i get internal error  **Nginx Proxy Manager Version** v2.10.4 **To Reproduce** Steps to reproduce the behavior: 1. Go to Hosts 2. Click on Add Proxy Host 3. Click on SSL 4. SSL Certificate > Request a new SSL Certificate 5. Save > Internal Error **Screenshots** <!-- If applicable, add screenshots to help explain your problem. --> **Operating System** Ubuntu 20.04 - 64bit, running Portainer v2.19.2 **Additional context** Cloudflare (NO PROXY): A => dayroxy.online => ip CNAMe => * => dayroxy.online ` 2023-11-15 05:51:29,337:DEBUG:acme.client:Storing nonce: GEqhmX18EBYehAoQEeHOv-lemRWL1u8IRLnVc7o6fKR1jTTNhtU 2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:Challenge failed for domain portainer.dayroxy.online 2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:http-01 challenge for portainer.dayroxy.online 2023-11-15 05:51:29,338:DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: portainer.dayroxy.online Type: connection Detail: 87.237.52.121: Fetching http://portainer.dayroxy.online/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk: Connection reset by peer Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. 2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Calling registered functions 2023-11-15 05:51:29,339:INFO:certbot._internal.auth_handler:Cleaning up challenges 2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk 2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up 2023-11-15 05:51:29,340:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 8, in <module> sys.exit(main()) File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main return config.func(config, plugins) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1597, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2023-11-15 05:51:29,341:ERROR:certbot._internal.log:Some challenges have failed. `

kerem added the

bug

label 2026-02-26 07:34:38 +03:00

kerem commented 2026-02-26 07:34:38 +03:00

Author

Owner

Copy link

@jucajuca commented on GitHub (Nov 15, 2023):

you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy):

@jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/396

.

<!-- gh-comment-id:1812210512 --> @jucajuca commented on GitHub (Nov 15, 2023): you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy): @jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/396  .

kerem commented 2026-02-26 07:34:38 +03:00

Author

Owner

Copy link

@DaYroXy commented on GitHub (Nov 15, 2023):

you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy):

@jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: #396

.

Hello! thanks for the answer the error happens with or without force SSL i still get the same error,
also tried what you told me

Helo,

<!-- gh-comment-id:1812406047 --> @DaYroXy commented on GitHub (Nov 15, 2023): > you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy): > > @jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: #396 > >  > > . Hello! thanks for the answer the error happens with or without force SSL i still get the same error, also tried what you told me  Helo,

kerem commented 2026-02-26 07:34:38 +03:00

Author

Owner

Copy link

@Gh0stExp10it commented on GitHub (Nov 16, 2023):

Same error on my site. Last time I registered a certificate was on the 11. Nov. - now it's not working for a new one anymore..

<!-- gh-comment-id:1814797880 --> @Gh0stExp10it commented on GitHub (Nov 16, 2023): Same error on my site. Last time I registered a certificate was on the 11. Nov. - now it's not working for a new one anymore..

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@PaulNdrei commented on GitHub (Nov 17, 2023):

In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error."
Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result.

<!-- gh-comment-id:1816868374 --> @PaulNdrei commented on GitHub (Nov 17, 2023): In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error." Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@DaYroXy commented on GitHub (Nov 18, 2023):

In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error."

Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result.

Hello! Thanks for the replay but sadly i also tried to eve open all available ports but sadly it didnt work

<!-- gh-comment-id:1817408146 --> @DaYroXy commented on GitHub (Nov 18, 2023): > In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error." > > Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result. > > > > > > > > Hello! Thanks for the replay but sadly i also tried to eve open all available ports but sadly it didnt work

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@wkobiela commented on GitHub (Nov 18, 2023):

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

<!-- gh-comment-id:1817500397 --> @wkobiela commented on GitHub (Nov 18, 2023): Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@DaYroXy commented on GitHub (Nov 19, 2023):

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

<!-- gh-comment-id:1817695485 --> @DaYroXy commented on GitHub (Nov 19, 2023): > Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate. thats so weird what can we do tho?

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Gh0stExp10it commented on GitHub (Nov 19, 2023):

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

<!-- gh-comment-id:1817950259 --> @Gh0stExp10it commented on GitHub (Nov 19, 2023): > > Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate. > > > > thats so weird what can we do tho? I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@DaYroXy commented on GitHub (Nov 19, 2023):

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

<!-- gh-comment-id:1818018231 --> @DaYroXy commented on GitHub (Nov 19, 2023): > > > Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate. > > > > > > > > thats so weird what can we do tho? > > I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird! The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@kpleines commented on GitHub (Nov 20, 2023):

Same issue and no of the workarounds worked for me.

any suggestions?

<!-- gh-comment-id:1818808681 --> @kpleines commented on GitHub (Nov 20, 2023): Same issue and no of the workarounds worked for me. any suggestions?

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Gh0stExp10it commented on GitHub (Nov 20, 2023):

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

<!-- gh-comment-id:1818935791 --> @Gh0stExp10it commented on GitHub (Nov 20, 2023): > > > > Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate. > > > > > > > > > thats so weird what can we do tho? > > > > > > I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird! > > The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@wkobiela commented on GitHub (Nov 20, 2023):

Weird, but you are right. I checked my router settings - port 80 open. Used https://portchecker.co/check-it to verity - closed. Removed settings, setup port forwarding once again and verified -> port open.

NPM worked and renewed all my certificates.

<!-- gh-comment-id:1819646098 --> @wkobiela commented on GitHub (Nov 20, 2023): Weird, but you are right. I checked my router settings - port 80 open. Used https://portchecker.co/check-it to verity - closed. Removed settings, setup port forwarding once again and verified -> port open. NPM worked and renewed all my certificates.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@DaYroXy commented on GitHub (Nov 20, 2023):

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error:
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

i think its something with certbot command

<!-- gh-comment-id:1819649009 --> @DaYroXy commented on GitHub (Nov 20, 2023): > > > > > Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate. > > > > > > > > > > > > thats so weird what can we do tho? > > > > > > > > > I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird! > > > > > > The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird > > Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured. Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. i think its something with certbot command

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@jsbrain commented on GitHub (Nov 20, 2023):

Adding network_mode: host in the docker-compose.yml fixed it for me.

<!-- gh-comment-id:1819670613 --> @jsbrain commented on GitHub (Nov 20, 2023): Adding `network_mode: host` in the `docker-compose.yml` fixed it for me.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Gh0stExp10it commented on GitHub (Nov 22, 2023):

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

i think its something with certbot command

Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example.
And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

<!-- gh-comment-id:1822851911 --> @Gh0stExp10it commented on GitHub (Nov 22, 2023): > > > > > > Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate. > > > > > > > > > > > > > > > thats so weird what can we do tho? > > > > > > > > > > > > I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird! > > > > > > > > > The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird > > > > > > Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured. > > Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. > > i think its something with certbot command Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@DaYroXy commented on GitHub (Nov 23, 2023):

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
i think its something with certbot command

Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain

<!-- gh-comment-id:1823944511 --> @DaYroXy commented on GitHub (Nov 23, 2023): > > > > > > > Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate. > > > > > > > > > > > > > > > > > > thats so weird what can we do tho? > > > > > > > > > > > > > > > I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird! > > > > > > > > > > > > The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird > > > > > > > > > Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured. > > > > > > Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. > > i think its something with certbot command > > Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)? Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@simowNgithub commented on GitHub (Nov 25, 2023):

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....

But i think it belongs to my specific proxy host configurations.

I will test, but then the solution was: port 81 must be open on your router/firewall...

<!-- gh-comment-id:1826264537 --> @simowNgithub commented on GitHub (Nov 25, 2023): Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now.... But i think it belongs to my specific proxy host configurations. I will test, but then the solution was: port 81 must be open on your router/firewall...

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Gh0stExp10it commented on GitHub (Nov 27, 2023):

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....

But i think it belongs to my specific proxy host configurations.

I will test, but then the solution was: port 81 must be open on your router/firewall...

Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80.

<!-- gh-comment-id:1827528452 --> @Gh0stExp10it commented on GitHub (Nov 27, 2023): > Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now.... > > But i think it belongs to my specific proxy host configurations. > > I will test, but then the solution was: port 81 must be open on your router/firewall... Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Gh0stExp10it commented on GitHub (Nov 27, 2023):

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
i think its something with certbot command

Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain

Are you also sure that the DynDNS updates are working correctly? That would be the only explanation I can think of for it not being accessible after all the configurations.

<!-- gh-comment-id:1827531701 --> @Gh0stExp10it commented on GitHub (Nov 27, 2023): > > > > > > > > Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate. > > > > > > > > > > > > > > > > > > > > > thats so weird what can we do tho? > > > > > > > > > > > > > > > > > > I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird! > > > > > > > > > > > > > > > The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird > > > > > > > > > > > > Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured. > > > > > > > > > Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. > > > i think its something with certbot command > > > > > > Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)? > > Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain Are you also sure that the DynDNS updates are working correctly? That would be the only explanation I can think of for it not being accessible after all the configurations.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@zemise commented on GitHub (Nov 27, 2023):

network_mode: host

Adding network_mode: host in the docker-compose.yml fixed it for me.

thx, this also fixed for me, but when I try, maybe also need ensure port 80, 81, and 443 are belong to NPM

<!-- gh-comment-id:1828232655 --> @zemise commented on GitHub (Nov 27, 2023): > `network_mode: host` > Adding `network_mode: host` in the `docker-compose.yml` fixed it for me. thx, this also fixed for me, but when I try, maybe also need ensure port 80, 81, and 443 are belong to NPM

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@simowNgithub commented on GitHub (Nov 27, 2023):

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....
But i think it belongs to my specific proxy host configurations.
I will test, but then the solution was: port 81 must be open on your router/firewall...

Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80.

Then it is stranger than strange 🤣 Because this was the only change (open port 81). After that it works. Before only port 80 and 443 where opened and i was able to create the certificates x months before.

<!-- gh-comment-id:1828353976 --> @simowNgithub commented on GitHub (Nov 27, 2023): > > Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now.... > > But i think it belongs to my specific proxy host configurations. > > I will test, but then the solution was: port 81 must be open on your router/firewall... > > Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80. Then it is stranger than strange 🤣 Because this was the only change (open port 81). After that it works. Before only port 80 and 443 where opened and i was able to create the certificates x months before.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@EinToni commented on GitHub (Dec 4, 2023):

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....

But i think it belongs to my specific proxy host configurations.

I will test, but then the solution was: port 81 must be open on your router/firewall...

I really don't undestand, but I can confirm that exposing port 81 indeed solved the issue....
I normally only have 443 exposed, now I also exposed 80 but that didn't help. After also exposing 81 I was able to renew all certs and create one new cert 😄 All without issues.
Afterwards I quickly closed 80 and 81 again and everything is good 👍🏻 Although I really don't understand why exposing 81 fixed that.

<!-- gh-comment-id:1839085607 --> @EinToni commented on GitHub (Dec 4, 2023): > Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now.... > > But i think it belongs to my specific proxy host configurations. > > I will test, but then the solution was: port 81 must be open on your router/firewall... I really don't undestand, but I can confirm that exposing port 81 indeed solved the issue.... I normally only have 443 exposed, now I also exposed 80 but that didn't help. After also exposing 81 I was able to renew all certs and create one new cert 😄 All without issues. Afterwards I quickly closed 80 and 81 again and everything is good 👍🏻 Although I really don't understand why exposing 81 fixed that.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@danny3n1tech commented on GitHub (Jan 22, 2024):

I have tried everything listed above and still having the issue.

<!-- gh-comment-id:1904367767 --> @danny3n1tech commented on GitHub (Jan 22, 2024): I have tried everything listed above and still having the issue.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Beat2er commented on GitHub (Jan 27, 2024):

A little bit out of context, but the reason it failed for me was the new software firewall, which had rules based on countries (everything worked from my devices). I didn't notice since renewal is only every 60 days (I guess). Maybe check access from different hosts and packet captures, this is how I got further.

<!-- gh-comment-id:1913172304 --> @Beat2er commented on GitHub (Jan 27, 2024): A little bit out of context, but the reason it failed for me was the new software firewall, which had rules based on countries (everything worked from my devices). I didn't notice since renewal is only every 60 days (I guess). Maybe check access from different hosts and packet captures, this is how I got further.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Silversurfer79 commented on GitHub (Feb 20, 2024):

Adding network_mode: host in the docker-compose.yml fixed it for me.

I have been struggleing with this for weeks now and this fixed it for me.

In Portainer go to Containers -> on the Container -> click Exec Console (looks like this >_ ) -> Connect -> Paste "curl -vvvv -I -L -k --tlsv1.2 https://google.com/" and Enter in the console. If you get a failure your DNS is not resolving and this is your problem, add "network_mode: host`" to your compose file. See a copy of my compose below.

A little side note, my certs now auto renew for the first time ;-)

`version: "3.8"
services:
app:
image: jc21/nginx-proxy-manager:latest
container_name: Nginx_PMA
restart: always
ports:
- '81:80'
- '8443:443'
- '82:81'
volumes:
- /home/pi/nginx/data:/data
- /home/pi/nginx/letsencrypt:/etc/letsencrypt
depends_on:
- db

db:
image: jc21/mariadb-aria:latest
container_name: Nginx_PMDB
restart: always
environment:
MYSQL_ROOT_PASSWORD: 'Password_Here'
MYSQL_DATABASE: 'Nginx_DB'
MYSQL_USER: 'Nginx_Admin_Here'
MYSQL_PASSWORD: 'Admin_Password_Here'
volumes:
- /home/pi/nginx/data/mysql:/var/lib/mysql

network_mode: host`

<!-- gh-comment-id:1953703815 --> @Silversurfer79 commented on GitHub (Feb 20, 2024): > Adding `network_mode: host` in the `docker-compose.yml` fixed it for me. I have been struggleing with this for weeks now and this fixed it for me. In Portainer go to Containers -> on the Container -> click Exec Console (looks like this >_ ) -> Connect -> Paste "curl -vvvv -I -L -k --tlsv1.2 https://google.com/" and Enter in the console. If you get a failure your DNS is not resolving and this is your problem, add "network_mode: host`" to your compose file. See a copy of my compose below. A little side note, my certs now auto renew for the first time ;-)  `version: "3.8" services: app: image: jc21/nginx-proxy-manager:latest container_name: Nginx_PMA restart: always ports: - '81:80' - '8443:443' - '82:81' volumes: - /home/pi/nginx/data:/data - /home/pi/nginx/letsencrypt:/etc/letsencrypt depends_on: - db db: image: jc21/mariadb-aria:latest container_name: Nginx_PMDB restart: always environment: MYSQL_ROOT_PASSWORD: 'Password_Here' MYSQL_DATABASE: 'Nginx_DB' MYSQL_USER: 'Nginx_Admin_Here' MYSQL_PASSWORD: 'Admin_Password_Here' volumes: - /home/pi/nginx/data/mysql:/var/lib/mysql network_mode: host`

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@tr1p0p commented on GitHub (Mar 11, 2024):

Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no)

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:518:28)
    at maybeClose (node:internal/child_process:1105:16)
    at Socket. (node:internal/child_process:457:11)
    at Socket.emit (node:events:518:28)
    at Pipe. (node:net:337:12)

<!-- gh-comment-id:1987980608 --> @tr1p0p commented on GitHub (Mar 11, 2024): Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no) ``` CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log An unexpected error occurred: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/ Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. at /app/lib/utils.js:16:13 at ChildProcess.exithandler (node:child_process:430:5) at ChildProcess.emit (node:events:518:28) at maybeClose (node:internal/child_process:1105:16) at Socket. (node:internal/child_process:457:11) at Socket.emit (node:events:518:28) at Pipe. (node:net:337:12) ```

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@firefox7518 commented on GitHub (Mar 22, 2024):

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

<!-- gh-comment-id:2014739168 --> @firefox7518 commented on GitHub (Mar 22, 2024): I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Silversurfer79 commented on GitHub (Mar 22, 2024):

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

<!-- gh-comment-id:2014780127 --> @Silversurfer79 commented on GitHub (Mar 22, 2024): > I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently. If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days. 

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Silversurfer79 commented on GitHub (Mar 22, 2024):

Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no)

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:518:28)
    at maybeClose (node:internal/child_process:1105:16)
    at Socket. (node:internal/child_process:457:11)
    at Socket.emit (node:events:518:28)
    at Pipe. (node:net:337:12)

Your issue you have request to many certs for the domain already, you must read the Letrs Encrypt terms, there is a limit of certs you can request per month/day I guess.

Your issue has nothing to do with ssl renewals.

<!-- gh-comment-id:2014834122 --> @Silversurfer79 commented on GitHub (Mar 22, 2024): > Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no) > > ``` > > CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log > An unexpected error occurred: > Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/ > Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. > > at /app/lib/utils.js:16:13 > at ChildProcess.exithandler (node:child_process:430:5) > at ChildProcess.emit (node:events:518:28) > at maybeClose (node:internal/child_process:1105:16) > at Socket. (node:internal/child_process:457:11) > at Socket.emit (node:events:518:28) > at Pipe. (node:net:337:12) > ``` Your issue you have request to many certs for the domain already, you must read the Letrs Encrypt terms, there is a limit of certs you can request per month/day I guess. Your issue has nothing to do with ssl renewals.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@firefox7518 commented on GitHub (Mar 22, 2024):

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

Well I tried that and now I cannot login anymore!!!!
Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

<!-- gh-comment-id:2015091423 --> @firefox7518 commented on GitHub (Mar 22, 2024): > > I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently. > > If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days. > >  Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Gh0stExp10it commented on GitHub (Mar 22, 2024):

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

I've got some problems like this back in the days. Try to backup your proxy_host configs (your-local-npm-data/nginx/proxy_host/), for example 1.conf 2.conf. After backup/copying your files, delete them and restart your npm container. It will rebuild these configs. Hope that helps.

<!-- gh-comment-id:2015103406 --> @Gh0stExp10it commented on GitHub (Mar 22, 2024): > > > I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently. > > > > > > If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days. > >  > > Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying..... I've got some problems like this back in the days. Try to backup your proxy_host configs (your-local-npm-data/nginx/proxy_host/), for example ```1.conf``` ```2.conf```. After backup/copying your files, delete them and restart your npm container. It will rebuild these configs. Hope that helps.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Silversurfer79 commented on GitHub (Mar 22, 2024):

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

What do your logs show?

<!-- gh-comment-id:2015519555 --> @Silversurfer79 commented on GitHub (Mar 22, 2024): > > > I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently. > > > > > > If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days. > >  > > Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying..... What do your logs show?

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@firefox7518 commented on GitHub (Mar 23, 2024):

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

I've got some problems like this back in the days. Try to backup your proxy_host configs (your-local-npm-data/nginx/proxy_host/), for example 1.conf 2.conf. After backup/copying your files, delete them and restart your npm container. It will rebuild these configs. Hope that helps.

I tried your way. Deleted the conf files, restarted the container. It did NOT recreate the files. I had to go into each config and click save and it created a new file. However, this did not solve anything. Still not able to renew certificate. I reverted also back to my last running version so that I can login.
I've added so far "network_mode:host" to the container, did not resolve it. I also do not have any issues pinging outside world like google.com or dns servers. 31 Websites with multiple domains and subdomains are running fine and certs were renewing flawlessly for more than a year without an issue. And now suddenly it stopped and shows constantly "internal error". I tried to find anything in the log files but to be honest in all lets encrypt related log files they are 0bytes, emtpy. Where can I activate a more verbose log?

So many people have issues with that, not good, really not good

<!-- gh-comment-id:2016524140 --> @firefox7518 commented on GitHub (Mar 23, 2024): > > > > I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently. > > > > > > > > > If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days. > > >  > > > > > > Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying..... > > I've got some problems like this back in the days. Try to backup your proxy_host configs (your-local-npm-data/nginx/proxy_host/), for example `1.conf` `2.conf`. After backup/copying your files, delete them and restart your npm container. It will rebuild these configs. Hope that helps. I tried your way. Deleted the conf files, restarted the container. It did NOT recreate the files. I had to go into each config and click save and it created a new file. However, this did not solve anything. Still not able to renew certificate. I reverted also back to my last running version so that I can login. I've added so far "network_mode:host" to the container, did not resolve it. I also do not have any issues pinging outside world like google.com or dns servers. 31 Websites with multiple domains and subdomains are running fine and certs were renewing flawlessly for more than a year without an issue. And now suddenly it stopped and shows constantly "internal error". I tried to find anything in the log files but to be honest in all lets encrypt related log files they are 0bytes, emtpy. Where can I activate a more verbose log? So many people have issues with that, not good, really not good

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@istoppedcaringat30 commented on GitHub (Mar 29, 2024):

Just wanted to add that my fix was to allow port 80 to NPM on my router. I must have blocked it at some point.

<!-- gh-comment-id:2027303893 --> @istoppedcaringat30 commented on GitHub (Mar 29, 2024): Just wanted to add that my fix was to allow port 80 to NPM on my router. I must have blocked it at some point.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@smibrandon commented on GitHub (Apr 1, 2024):

I found a fix for my issue: allocating more storage space.

Running NPM in a Proxmox CT (no docker at all), and happened to catch that it was at 96% of its storage. I gave it some extra, and boom. Worked!

<!-- gh-comment-id:2030287091 --> @smibrandon commented on GitHub (Apr 1, 2024): I found a fix for my issue: allocating more storage space. Running NPM in a Proxmox CT (no docker at all), and happened to catch that it was at 96% of its storage. I gave it some extra, and boom. Worked!

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@kautsaridris commented on GitHub (Apr 6, 2024):

i have sam issue, than i trace the couse, so i found my provider block my IP for incoming connection from another country to my server, connections allowed only from my country (that because my server IP coming from my Goverment) so when i opening the ticket to allowed incoming connection for All, and the "Internal Error" is fixed,
so mybe this is the one from another thing to fix your problem

<!-- gh-comment-id:2040853243 --> @kautsaridris commented on GitHub (Apr 6, 2024): i have sam issue, than i trace the couse, so i found my provider block my IP for incoming connection from another country to my server, connections allowed only from my country (that because my server IP coming from my Goverment) so when i opening the ticket to allowed incoming connection for All, and the "Internal Error" is fixed, so mybe this is the one from another thing to fix your problem

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@jclsn commented on GitHub (Apr 10, 2024):

Same issue here. I realized that this works with DuckDNS domains, but not with the one configured in my router. I grew tired of DuckDNS not working often, so I bought an official Strato domain, which I configured with DynDNS in my Fritz.Box. I could successfully create a proxy and request a certificate for the main domain, but not for the subdomains.

<!-- gh-comment-id:2048267011 --> @jclsn commented on GitHub (Apr 10, 2024): Same issue here. I realized that this works with DuckDNS domains, but not with the one configured in my router. I grew tired of DuckDNS not working often, so I bought an official Strato domain, which I configured with DynDNS in my Fritz.Box. I could successfully create a proxy and request a certificate for the main domain, but not for the subdomains.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@TasteOfChaoZ commented on GitHub (Apr 26, 2024):

Same issue. Stupid me. I disabled NAT-Rule for Port 80 farwarding to my nginx, for what evert reason ....

<!-- gh-comment-id:2079918162 --> @TasteOfChaoZ commented on GitHub (Apr 26, 2024): Same issue. Stupid me. I disabled NAT-Rule for Port 80 farwarding to my nginx, for what evert reason ....

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@timursevimli commented on GitHub (Apr 30, 2024):

this resource helped me solve the problem:

https://medium.com/@life-is-short-so-enjoy-it/homelab-nginx-proxy-manager-setup-ssl-certificate-with-domain-name-in-cloudflare-dns-732af64ddc0b

<!-- gh-comment-id:2085037810 --> @timursevimli commented on GitHub (Apr 30, 2024): this resource helped me solve the problem: https://medium.com/@life-is-short-so-enjoy-it/homelab-nginx-proxy-manager-setup-ssl-certificate-with-domain-name-in-cloudflare-dns-732af64ddc0b

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@ryuzaki09 commented on GitHub (May 6, 2024):

i opened the port 80 to my NPM temporarily to request the new certificate, it worked and then I closed the port again.

<!-- gh-comment-id:2095744361 --> @ryuzaki09 commented on GitHub (May 6, 2024): i opened the port 80 to my NPM temporarily to request the new certificate, it worked and then I closed the port again.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@TailoredITRob commented on GitHub (May 27, 2024):

Adding network_mode: host in the docker-compose.yml fixed it for me.

This is not an option. Using network_mode set to host will expose all ports to the open world. It also forces you to do the same with any other related containers or they can no longer communicate.

<!-- gh-comment-id:2132527865 --> @TailoredITRob commented on GitHub (May 27, 2024): > Adding `network_mode: host` in the `docker-compose.yml` fixed it for me. This is *not* an option. Using network_mode set to host will expose all ports to the open world. It also forces you to do the same with any other related containers or they can no longer communicate.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@JoeZUM commented on GitHub (Jul 6, 2024):

I have the same problem. Is there any progress on this issue?

<!-- gh-comment-id:2212038250 --> @JoeZUM commented on GitHub (Jul 6, 2024): I have the same problem. Is there any progress on this issue?

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Silversurfer79 commented on GitHub (Jul 7, 2024):

I have the same problem. Is there any progress on this issue?

I have come to realise that 99% of certificate renewal issues are firewall blocking ports. I would check and recheck that ports are open. I did have my ports being blocked.

My working docker compose file, good luck!

version: "3"
services:
  app:
    image: jc21/nginx-proxy-manager:latest
    container_name: Nginx_Proxy_Manager
    restart: always
    ports:
      - '82:80'           # Public HTTP Port:
      - '4433:443'        # Public HTTPS Port:
      - '81:81'           # Admin Web Port:
    networks:
      default:
        ipv4_address: 10.10.10.3
    volumes:
      - /URPATH/docker/nginxmanager/config.json:/app/config/production.json
      - /URPATH/docker/nginxmanager/data:/data
      - /URPATH/docker/nginxmanager/letsencrypt:/etc/letsencrypt
    depends_on:
      - db
  db:
    image: jc21/mariadb-aria:latest
    container_name: Nginx_Proxy_Manager_DB
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: 'xxxxxxxxxxxxxxxxx'
      MYSQL_DATABASE: 'Nginx_DB'
      MYSQL_USER: 'xxxxxxxxxxxxxxxxxx'
      MYSQL_PASSWORD: 'xxxxxxxxxxxxxxxxx'
    networks:
      default:
        ipv4_address: 10.10.10.2
    volumes:
      - /URPATH/docker/nginxmanager/sql:/var/lib/mysql

networks:
  default:
    external:
      name: dockernet default

I can renew my certs at any point now, though they auto renew 30 days before expiring.

<!-- gh-comment-id:2212382238 --> @Silversurfer79 commented on GitHub (Jul 7, 2024): > I have the same problem. Is there any progress on this issue? I have come to realise that 99% of certificate renewal issues are firewall blocking ports. I would check and recheck that ports are open. I did have my ports being blocked. My working docker compose file, good luck! ``` version: "3" services: app: image: jc21/nginx-proxy-manager:latest container_name: Nginx_Proxy_Manager restart: always ports: - '82:80' # Public HTTP Port: - '4433:443' # Public HTTPS Port: - '81:81' # Admin Web Port: networks: default: ipv4_address: 10.10.10.3 volumes: - /URPATH/docker/nginxmanager/config.json:/app/config/production.json - /URPATH/docker/nginxmanager/data:/data - /URPATH/docker/nginxmanager/letsencrypt:/etc/letsencrypt depends_on: - db db: image: jc21/mariadb-aria:latest container_name: Nginx_Proxy_Manager_DB restart: always environment: MYSQL_ROOT_PASSWORD: 'xxxxxxxxxxxxxxxxx' MYSQL_DATABASE: 'Nginx_DB' MYSQL_USER: 'xxxxxxxxxxxxxxxxxx' MYSQL_PASSWORD: 'xxxxxxxxxxxxxxxxx' networks: default: ipv4_address: 10.10.10.2 volumes: - /URPATH/docker/nginxmanager/sql:/var/lib/mysql networks: default: external: name: dockernet default ``` I can renew my certs at any point now, though they auto renew 30 days before expiring.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@Wav3y commented on GitHub (Jul 15, 2024):

NPM is not particularly helpful in telling you what the specific issue is other than "Internal Error" which could mean a magnitude of things so everyone should start by inspecting their container logs.

First of all, if you're using Namecheap, make sure your IP is whitelisted.

My issue probably stemmed from a manual move of my container from one host to another (I think) as it related to some broken symlinks.

I use Portainer so used that to inspect my logs but obviously there are other ways to inspect logs.

The logs showed a parse failure 0 renew failure(s), 1 parse failure(s)

I SSH'd into the container docker exec -it <container_id_or_name> /bin/bash

Double checked Certbot logs

cd /tmp/letsencrypt-log
cat letsencrypt.log

Double checked letsencrypt config.

cat /etc/letsencrypt.ini

Manually ran the renewal inside the container

certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew -v

Terminal showed this error:

Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Skipping.

So I went in and repaired the sym links as config files were not pointing to any symlinks as it should've been. Here's what I ran to repair:

cd /etc/letsencrypt/live/npm-2
rm cert.pem chain.pem fullchain.pem privkey.pem
ln -s /etc/letsencrypt/archive/npm-2/cert1.pem cert.pem
ln -s /etc/letsencrypt/archive/npm-2/chain1.pem chain.pem
ln -s /etc/letsencrypt/archive/npm-2/fullchain1.pem fullchain.pem
ln -s /etc/letsencrypt/archive/npm-2/privkey1.pem privkey.pem

Then either run renewal on NPM GUI or directly on terminal:

certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew -v

Stuck? Use ChatGPT. That's how I fixed my problem because I'm not in IT.

<!-- gh-comment-id:2228269902 --> @Wav3y commented on GitHub (Jul 15, 2024): NPM is not particularly helpful in telling you what the specific issue is other than "Internal Error" which could mean a magnitude of things so everyone should start by inspecting their container logs. First of all, if you're using Namecheap, make sure your IP is whitelisted. My issue probably stemmed from a manual move of my container from one host to another (I think) as it related to some broken symlinks. I use Portainer so used that to inspect my logs but obviously there are other ways to inspect logs. The logs showed a parse failure `0 renew failure(s), 1 parse failure(s)` I SSH'd into the container `docker exec -it <container_id_or_name> /bin/bash` Double checked Certbot logs ``` cd /tmp/letsencrypt-log cat letsencrypt.log ``` Double checked letsencrypt config. ``` cat /etc/letsencrypt.ini ``` Manually ran the renewal inside the container ``` certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew -v ``` Terminal showed this error: ``` Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken. The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink Skipping. ``` So I went in and repaired the sym links as config files were not pointing to any symlinks as it should've been. Here's what I ran to repair: ``` cd /etc/letsencrypt/live/npm-2 rm cert.pem chain.pem fullchain.pem privkey.pem ln -s /etc/letsencrypt/archive/npm-2/cert1.pem cert.pem ln -s /etc/letsencrypt/archive/npm-2/chain1.pem chain.pem ln -s /etc/letsencrypt/archive/npm-2/fullchain1.pem fullchain.pem ln -s /etc/letsencrypt/archive/npm-2/privkey1.pem privkey.pem ``` Then either run renewal on NPM GUI or directly on terminal: ``` certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew -v ``` Stuck? Use ChatGPT. That's how I fixed my problem because I'm not in IT.

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@flow96 commented on GitHub (Jul 27, 2024):

It seems that certbot mostly uses IPv6 to verify domains, therefore maybe recheck your DNS settings.

I had the same problem and found the error in my DNS settings.
I originally updated the DNS entries to point to my server on IPv4 but forgot about IPv6.
So after replacing the AAAA entry with the IPv6 of my server it works again 🎉

<!-- gh-comment-id:2254262534 --> @flow96 commented on GitHub (Jul 27, 2024): It seems that certbot mostly uses IPv6 to verify domains, therefore maybe recheck your DNS settings. I had the same problem and found the error in my DNS settings. I originally updated the DNS entries to point to my server on **IPv4** but forgot about **IPv6**. So after replacing the **AAAA** entry with the IPv6 of my server it works again 🎉

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@pablomujica commented on GitHub (Aug 6, 2024):

In my case using Cloudflare, updating the package in the server fixed it:

pip install --upgrade cloudflare==2.19.*

<!-- gh-comment-id:2270133456 --> @pablomujica commented on GitHub (Aug 6, 2024): In my case using Cloudflare, updating the package in the server fixed it: ``` shell pip install --upgrade cloudflare==2.19.* ```

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@sarequl commented on GitHub (Aug 29, 2024):

In my case using Cloudflare, updating the package in the server fixed it:

pip install --upgrade cloudflare==2.19.*

It worked for me. thanks

<!-- gh-comment-id:2319198418 --> @sarequl commented on GitHub (Aug 29, 2024): > In my case using Cloudflare, updating the package in the server fixed it: > > ```shell > pip install --upgrade cloudflare==2.19.* > ``` It worked for me. thanks

kerem commented 2026-02-26 07:34:39 +03:00

Author

Owner

Copy link

@andsim commented on GitHub (Sep 3, 2024):

h ere my issues

`2024-09-03 15:21:48,841:DEBUG:certbot._internal.main:certbot version: 2.11.0
2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-4', '--agree-tos', '--authenticator', 'webroot', '--email', 'andsim2@gmail.com', '--preferred-challenges', 'dns,http', '--domains', 'anskygrid.ca,www.anskygrid.ca']
2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-09-03 15:21:48,856:DEBUG:certbot._internal.log:Root logging level set at 30
2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7165da4951d0>
Prep: True
2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7165da4951d0> and installer None
2024-09-03 15:21:48,857:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2024-09-03 15:21:48,908:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-09-03 15:21:48,910:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-09-03 15:21:48,949:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 467, in _make_request
    self._validate_conn(conn)
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1099, in _validate_conn
    conn.connect()
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connection.py", line 653, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connection.py", line 806, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
               ^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 465, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 509, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 1075, in _create
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 793, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 491, in _make_request
    raise new_e
urllib3.exceptions.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/requests/adapters.py", line 667, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 847, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/retry.py", line 515, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1582, in certonly
    le_client = _init_le_client(config, auth, installer)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 833, in _init_le_client
    acc, acme = _determine_account(config)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 741, in _determine_account
    acc, acme = client.register(
                ^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 207, in register
    acme = acme_from_config_key(config, key)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
    directory = acme_client.ClientV2.get_directory(config.server, net)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 330, in get_directory
    return messages.Directory.from_json(net.get(url).json())
                                        ^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 705, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 647, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))
2024-09-03 15:21:48,955:ERROR:certbot._internal.log:An unexpected error occurred:
2024-09-03 15:21:48,956:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))`

<!-- gh-comment-id:2326807992 --> @andsim commented on GitHub (Sep 3, 2024): h ere my issues ``` `2024-09-03 15:21:48,841:DEBUG:certbot._internal.main:certbot version: 2.11.0 2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot 2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-4', '--agree-tos', '--authenticator', 'webroot', '--email', 'andsim2@gmail.com', '--preferred-challenges', 'dns,http', '--domains', 'anskygrid.ca,www.anskygrid.ca'] 2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2024-09-03 15:21:48,856:DEBUG:certbot._internal.log:Root logging level set at 30 2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None 2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported). Interfaces: Authenticator, Plugin Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins') Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7165da4951d0> Prep: True 2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7165da4951d0> and installer None 2024-09-03 15:21:48,857:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None 2024-09-03 15:21:48,908:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. 2024-09-03 15:21:48,910:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 2024-09-03 15:21:48,949:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 467, in _make_request self._validate_conn(conn) File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1099, in _validate_conn conn.connect() File "/opt/certbot/lib/python3.11/site-packages/urllib3/connection.py", line 653, in connect sock_and_verified = _ssl_wrap_socket_and_match_hostname( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/urllib3/connection.py", line 806, in _ssl_wrap_socket_and_match_hostname ssl_sock = ssl_wrap_socket( ^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 465, in ssl_wrap_socket ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 509, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket return self.sslsocket_class._create( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/ssl.py", line 1075, in _create self.do_handshake() File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 793, in urlopen response = self._make_request( ^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 491, in _make_request raise new_e urllib3.exceptions.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992) The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.11/site-packages/requests/adapters.py", line 667, in send resp = conn.urlopen( ^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 847, in urlopen retries = retries.increment( ^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/retry.py", line 515, in increment raise MaxRetryError(_pool, url, reason) from reason # type: ignore[arg-type] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)'))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/certbot/bin/certbot", line 8, in <module> sys.exit(main()) ^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main return config.func(config, plugins) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1582, in certonly le_client = _init_le_client(config, auth, installer) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 833, in _init_le_client acc, acme = _determine_account(config) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 741, in _determine_account acc, acme = client.register( ^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 207, in register acme = acme_from_config_key(config, key) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key directory = acme_client.ClientV2.get_directory(config.server, net) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 330, in get_directory return messages.Directory.from_json(net.get(url).json()) ^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 705, in get self._send_request('GET', url, **kwargs), content_type=content_type) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 647, in _send_request response = self.session.request(method, url, *args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/requests/sessions.py", line 589, in request resp = self.send(prep, **send_kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/requests/sessions.py", line 703, in send r = adapter.send(request, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/requests/adapters.py", line 698, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)'))) 2024-09-03 15:21:48,955:ERROR:certbot._internal.log:An unexpected error occurred: 2024-09-03 15:21:48,956:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))` ```

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@andsim commented on GitHub (Sep 3, 2024):

i think is web address issues
acme-v02.api.letsencrypt.org
when i try in browser and get
ERR_ADDRESS_INVALID

<!-- gh-comment-id:2326822051 --> @andsim commented on GitHub (Sep 3, 2024): i think is web address issues acme-v02.api.letsencrypt.org when i try in browser and get ERR_ADDRESS_INVALID

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@andsim commented on GitHub (Sep 4, 2024):

look at last line

<!-- gh-comment-id:2327857569 --> @andsim commented on GitHub (Sep 4, 2024):  look at last line

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@andsim commented on GitHub (Sep 4, 2024):

i bet everyone have this same issues

<!-- gh-comment-id:2327859149 --> @andsim commented on GitHub (Sep 4, 2024): i bet everyone have this same issues

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@andsim commented on GitHub (Sep 4, 2024):

ok what npm ip use?
"hostname": "andsimgaming.ca",
"port": "80",
"addressesResolved": [
"192.124.249.15"
],
"addressUsed": "192.124.249.15"
not property resolve

<!-- gh-comment-id:2329126921 --> @andsim commented on GitHub (Sep 4, 2024): ok what npm ip use? "hostname": "andsimgaming.ca", "port": "80", "addressesResolved": [ "192.124.249.15" ], "addressUsed": "192.124.249.15" not property resolve

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@rulatir commented on GitHub (Sep 11, 2024):

Adding network_mode: host in the docker-compose.yml fixed it for me.

I have been struggleing with this for weeks now and this fixed it for me.

In Portainer go to Containers -> on the Container -> click Exec Console (looks like this >_ ) -> Connect -> Paste "curl -vvvv -I -L -k --tlsv1.2 https://google.com/" and Enter in the console. If you get a failure your DNS is not resolving and this is your problem, add "network_mode: host`" to your compose file. See a copy of my compose below.

A little side note, my certs now auto renew for the first time ;-)

`version: "3.8" services: app: image: jc21/nginx-proxy-manager:latest container_name: Nginx_PMA restart: always ports: - '81:80' - '8443:443' - '82:81' volumes: - /home/pi/nginx/data:/data - /home/pi/nginx/letsencrypt:/etc/letsencrypt depends_on: - db

db: image: jc21/mariadb-aria:latest container_name: Nginx_PMDB restart: always environment: MYSQL_ROOT_PASSWORD: 'Password_Here' MYSQL_DATABASE: 'Nginx_DB' MYSQL_USER: 'Nginx_Admin_Here' MYSQL_PASSWORD: 'Admin_Password_Here' volumes: - /home/pi/nginx/data/mysql:/var/lib/mysql

network_mode: host`

How can this possibly work for anyone? It causes Published ports are discared when using host network mode, and unsurprisingly, the the nginx-proxy-manager app is no longer even reachable from the internet. Instead of fixing the issue, it makes nginx-proxy-manager stop working completely.

<!-- gh-comment-id:2343497170 --> @rulatir commented on GitHub (Sep 11, 2024): > > Adding `network_mode: host` in the `docker-compose.yml` fixed it for me. > > I have been struggleing with this for weeks now and this fixed it for me. > > In Portainer go to Containers -> on the Container -> click Exec Console (looks like this >_ ) -> Connect -> Paste "curl -vvvv -I -L -k --tlsv1.2 https://google.com/" and Enter in the console. If you get a failure your DNS is not resolving and this is your problem, add "network_mode: host`" to your compose file. See a copy of my compose below. > > A little side note, my certs now auto renew for the first time ;-)  > > `version: "3.8" services: app: image: jc21/nginx-proxy-manager:latest container_name: Nginx_PMA restart: always ports: - '81:80' - '8443:443' - '82:81' volumes: - /home/pi/nginx/data:/data - /home/pi/nginx/letsencrypt:/etc/letsencrypt depends_on: - db > > db: image: jc21/mariadb-aria:latest container_name: Nginx_PMDB restart: always environment: MYSQL_ROOT_PASSWORD: 'Password_Here' MYSQL_DATABASE: 'Nginx_DB' MYSQL_USER: 'Nginx_Admin_Here' MYSQL_PASSWORD: 'Admin_Password_Here' volumes: - /home/pi/nginx/data/mysql:/var/lib/mysql > > ``` > network_mode: host` > ``` How can this possibly work for anyone? It causes `Published ports are discared when using host network mode`, and unsurprisingly, the the nginx-proxy-manager app is no longer even reachable from the internet. Instead of fixing the issue, it makes nginx-proxy-manager stop working completely.

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@andsim commented on GitHub (Sep 17, 2024):

all my domain is link to x.x.137.119

<!-- gh-comment-id:2357044231 --> @andsim commented on GitHub (Sep 17, 2024): all my domain is link to x.x.137.119 

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@andsim commented on GitHub (Sep 17, 2024):

some of my domain is working but some is broken due of bug

<!-- gh-comment-id:2357045637 --> @andsim commented on GitHub (Sep 17, 2024): some of my domain is working but some is broken due of bug

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@jimclark commented on GitHub (Dec 1, 2024):

Weird, but you are right. I checked my router settings - port 80 open. Used https://portchecker.co/check-it to verity - closed. Removed settings, setup port forwarding once again and verified -> port open.

NPM worked and renewed all my certificates.

In case someone else stumbles on this issue later (as I did), my problem and cure was similar. In my case, I was migrating NPM from one computer to another, and while I had edited and saved the entries in my router's port forwarding settings, I had to then "apply settings" at the top of the page. Then I could request the certificate, and it all worked happily ever after!

<!-- gh-comment-id:2509805884 --> @jimclark commented on GitHub (Dec 1, 2024): > Weird, but you are right. I checked my router settings - port 80 open. Used https://portchecker.co/check-it to verity - closed. Removed settings, setup port forwarding once again and verified -> port open. > > NPM worked and renewed all my certificates. In case someone else stumbles on this issue later (as I did), my problem and cure was similar. In my case, I was migrating NPM from one computer to another, and while I had edited and saved the entries in my router's port forwarding settings, I had to then "apply settings" at the top of the page. *Then* I could request the certificate, and it all worked happily ever after!

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@rogercreagh commented on GitHub (Jan 3, 2025):

It seems that certbot mostly uses IPv6 to verify domains, therefore maybe recheck your DNS settings.

I had the same problem and found the error in my DNS settings. I originally updated the DNS entries to point to my server on IPv4 but forgot about IPv6. So after replacing the AAAA entry with the IPv6 of my server it works again 🎉

Yay. Thank you. Exactly the same problem here - tried a few earlier suggestions to no avail before getting down to this one (should have started reading from the end!)

<!-- gh-comment-id:2568855198 --> @rogercreagh commented on GitHub (Jan 3, 2025): > It seems that certbot mostly uses IPv6 to verify domains, therefore maybe recheck your DNS settings. > > I had the same problem and found the error in my DNS settings. I originally updated the DNS entries to point to my server on **IPv4** but forgot about **IPv6**. So after replacing the **AAAA** entry with the IPv6 of my server it works again 🎉 Yay. Thank you. Exactly the same problem here - tried a few earlier suggestions to no avail before getting down to this one (should have started reading from the end!)

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@Emelix123 commented on GitHub (Jan 6, 2025):

Hey Guys,
I think I found a solution.

The problem is that normally you forward port 443 because you want to use HTTPS. However, Let's Encrypt cannot find a website that way. The solution is to temporarily open port 80 for a few minutes to create a new certificate. After the certificate is created, you can close port 80, and everything should work fine.

Here are the steps:

1. Open port 80.
2. Test the connection to your server, which you already configured in NPM when adding an SSL certificate.
3. Add the SSL certificate.
4. Assign the SSL certificate to your Proxy Host in NPM.
5. Close port 80 (only port 443 should remain open).

Let me know if this works for you!

<!-- gh-comment-id:2572635880 --> @Emelix123 commented on GitHub (Jan 6, 2025): Hey Guys, I think I found a solution. The problem is that normally you forward port 443 because you want to use HTTPS. However, Let's Encrypt cannot find a website that way. The solution is to temporarily open port 80 for a few minutes to create a new certificate. After the certificate is created, you can close port 80, and everything should work fine. **Here are the steps:** 1. Open port 80. 2. Test the connection to your server, which you already configured in NPM when adding an SSL certificate. 3. Add the SSL certificate. 4. Assign the SSL certificate to your Proxy Host in NPM. 5. Close port 80 (only port 443 should remain open). Let me know if this works for you!

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@Silversurfer79 commented on GitHub (Jan 6, 2025):

Hey, that's the default requirement for all let's encrypt cert issuing and
renewal.

On Mon, 06 Jan 2025, 11:09 Emelix123, @.***> wrote:

Hey Guys,
I think I found a solution.

The problem is that normally you forward port 443 because you want to use
HTTPS. However, Let's Encrypt cannot find a website that way. The solution
is to temporarily open port 80 for a few minutes to create a new
certificate. After the certificate is created, you can close port 80, and
everything should work fine.

Here are the steps:

1. Open port 80.
2. Test the connection to your server, which you already configured in
   NPM when adding an SSL certificate.
3. Add the SSL certificate.
4. Assign the SSL certificate to your Proxy Host in NPM.
5. Close port 80 (only port 443 should remain open).

Let me know if this works for you!

—
Reply to this email directly, view it on GitHub
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324#issuecomment-2572635880,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AN4J7WR6RNMRJ2QMCFHYD2D2JJB6NAVCNFSM6AAAAAA7L6IV62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZSGYZTKOBYGA
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:2573010838 --> @Silversurfer79 commented on GitHub (Jan 6, 2025): Hey, that's the default requirement for all let's encrypt cert issuing and renewal. On Mon, 06 Jan 2025, 11:09 Emelix123, ***@***.***> wrote: > Hey Guys, > I think I found a solution. > > The problem is that normally you forward port 443 because you want to use > HTTPS. However, Let's Encrypt cannot find a website that way. The solution > is to temporarily open port 80 for a few minutes to create a new > certificate. After the certificate is created, you can close port 80, and > everything should work fine. > > *Here are the steps:* > > 1. Open port 80. > 2. Test the connection to your server, which you already configured in > NPM when adding an SSL certificate. > 3. Add the SSL certificate. > 4. Assign the SSL certificate to your Proxy Host in NPM. > 5. Close port 80 (only port 443 should remain open). > > Let me know if this works for you! > > — > Reply to this email directly, view it on GitHub > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324#issuecomment-2572635880>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AN4J7WR6RNMRJ2QMCFHYD2D2JJB6NAVCNFSM6AAAAAA7L6IV62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZSGYZTKOBYGA> > . > You are receiving this because you commented.Message ID: > ***@***.***> >

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@groths89 commented on GitHub (Jan 14, 2025):

Internal Error can also be caused by incorrect DNS setup. Check that the subdomain you want to add into Nginx Proxy Manager is pointing to the Nginx Proxy Manager Server's IP address. Then point the Destination in NPM to the IP address of the application's server. If the application is on a different server of course. That was my issue anyway. This comment might solve the issue for some, not all.

<!-- gh-comment-id:2588587380 --> @groths89 commented on GitHub (Jan 14, 2025): Internal Error can also be caused by incorrect DNS setup. Check that the subdomain you want to add into Nginx Proxy Manager is pointing to the Nginx Proxy Manager Server's IP address. Then point the Destination in NPM to the IP address of the application's server. If the application is on a different server of course. That was my issue anyway. This comment might solve the issue for some, not all.

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@xlyralycanx commented on GitHub (Feb 10, 2025):

I solved this by changing Settings ⟩ Default Site. I had custom HTML set to display, when reverting the setting to another, in my case '404 page', the certification completed immediately after.

<!-- gh-comment-id:2647753772 --> @xlyralycanx commented on GitHub (Feb 10, 2025): I solved this by changing Settings ⟩ Default Site. I had custom HTML set to display, when reverting the setting to another, in my case '404 page', the certification completed immediately after.

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@thezepter commented on GitHub (Feb 28, 2025):

I solved this by changing Settings ⟩ Default Site. I had custom HTML set to display, when reverting the setting to another, in my case '404 page', the certification completed immediately after.

Thats works. Thanks !

<!-- gh-comment-id:2691324943 --> @thezepter commented on GitHub (Feb 28, 2025): > I solved this by changing Settings ⟩ Default Site. I had custom HTML set to display, when reverting the setting to another, in my case '404 page', the certification completed immediately after. Thats works. Thanks !

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@konies commented on GitHub (Mar 15, 2025):

I also had this error. I entered the shell and saw that it was missing the six module, so I just had to install it with: pip install six.

<!-- gh-comment-id:2726078235 --> @konies commented on GitHub (Mar 15, 2025): I also had this error. I entered the shell and saw that it was missing the six module, so I just had to install it with: pip install six. 

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@theking2 commented on GitHub (Mar 30, 2025):

Hey Guys, I think I found a solution.

The problem is that normally you forward port 443 because you want to use HTTPS. However, Let's Encrypt cannot find a website that way. The solution is to temporarily open port 80 for a few minutes to create a new certificate. After the certificate is created, you can close port 80, and everything should work fine.

Here are the steps:

1. Open port 80.

2. Test the connection to your server, which you already configured in NPM when adding an SSL certificate.

3. Add the SSL certificate.

4. Assign the SSL certificate to your Proxy Host in NPM.

5. Close port 80 (only port 443 should remain open).

Let me know if this works for you!

But if I would open or NAT port 80 and 443 on my router I would not be able to connect to the router webgui anymore would I?

No it would't only the WAN side of the router is affected, you'll still be able to logon from the LAN side.

<!-- gh-comment-id:2764719793 --> @theking2 commented on GitHub (Mar 30, 2025): > Hey Guys, I think I found a solution. > > The problem is that normally you forward port 443 because you want to use HTTPS. However, Let's Encrypt cannot find a website that way. The solution is to temporarily open port 80 for a few minutes to create a new certificate. After the certificate is created, you can close port 80, and everything should work fine. > > **Here are the steps:** > > 1. Open port 80. > > 2. Test the connection to your server, which you already configured in NPM when adding an SSL certificate. > > 3. Add the SSL certificate. > > 4. Assign the SSL certificate to your Proxy Host in NPM. > > 5. Close port 80 (only port 443 should remain open). > > > Let me know if this works for you! But if I would open or NAT port 80 and 443 on my router I would not be able to connect to the router webgui anymore would I? No it would't only the WAN side of the router is affected, you'll still be able to logon from the LAN side.

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@ryuzaki09 commented on GitHub (Mar 31, 2025):

Hey Guys, I think I found a solution.

The problem is that normally you forward port 443 because you want to use HTTPS. However, Let's Encrypt cannot find a website that way. The solution is to temporarily open port 80 for a few minutes to create a new certificate. After the certificate is created, you can close port 80, and everything should work fine.

Here are the steps:

1. Open port 80.
2. Test the connection to your server, which you already configured in NPM when adding an SSL certificate.
3. Add the SSL certificate.
4. Assign the SSL certificate to your Proxy Host in NPM.
5. Close port 80 (only port 443 should remain open).

Let me know if this works for you!

this is the same method I use and it works for me too.

<!-- gh-comment-id:2765526979 --> @ryuzaki09 commented on GitHub (Mar 31, 2025): > Hey Guys, I think I found a solution. > > The problem is that normally you forward port 443 because you want to use HTTPS. However, Let's Encrypt cannot find a website that way. The solution is to temporarily open port 80 for a few minutes to create a new certificate. After the certificate is created, you can close port 80, and everything should work fine. > > **Here are the steps:** > > 1. Open port 80. > 2. Test the connection to your server, which you already configured in NPM when adding an SSL certificate. > 3. Add the SSL certificate. > 4. Assign the SSL certificate to your Proxy Host in NPM. > 5. Close port 80 (only port 443 should remain open). > > Let me know if this works for you! this is the same method I use and it works for me too.

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@Silversurfer79 commented on GitHub (Mar 31, 2025):

The issue is then you have to open port 80 every 2 months so the certs can
renew. I leave the ports 80 and 443 open and just have a IPS/IDS firewall
and make the backend is a different vlan, is not on the same network as
your home.

On Mon, 31 Mar 2025, 10:40 ryuzaki09, @.***> wrote:

Hey Guys, I think I found a solution.

The problem is that normally you forward port 443 because you want to use
HTTPS. However, Let's Encrypt cannot find a website that way. The solution
is to temporarily open port 80 for a few minutes to create a new
certificate. After the certificate is created, you can close port 80, and
everything should work fine.

Here are the steps:

1. Open port 80.
2. Test the connection to your server, which you already configured in
   NPM when adding an SSL certificate.
3. Add the SSL certificate.
4. Assign the SSL certificate to your Proxy Host in NPM.
5. Close port 80 (only port 443 should remain open).

Let me know if this works for you!

this is the same method I use and it works for me too.

—
Reply to this email directly, view it on GitHub
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324#issuecomment-2765526979,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AN4J7WVIB4UE3ZGIGBYNABT2XD5PPAVCNFSM6AAAAAA7L6IV62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRVGUZDMOJXHE
.
You are receiving this because you commented.Message ID:
@.***>
[image: ryuzaki09]ryuzaki09 left a comment
(NginxProxyManager/nginx-proxy-manager#3324)
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324#issuecomment-2765526979

Hey Guys, I think I found a solution.

The problem is that normally you forward port 443 because you want to use
HTTPS. However, Let's Encrypt cannot find a website that way. The solution
is to temporarily open port 80 for a few minutes to create a new
certificate. After the certificate is created, you can close port 80, and
everything should work fine.

Here are the steps:

1. Open port 80.
2. Test the connection to your server, which you already configured in
   NPM when adding an SSL certificate.
3. Add the SSL certificate.
4. Assign the SSL certificate to your Proxy Host in NPM.
5. Close port 80 (only port 443 should remain open).

Let me know if this works for you!

this is the same method I use and it works for me too.

—
Reply to this email directly, view it on GitHub
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324#issuecomment-2765526979,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AN4J7WVIB4UE3ZGIGBYNABT2XD5PPAVCNFSM6AAAAAA7L6IV62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRVGUZDMOJXHE
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:2765679070 --> @Silversurfer79 commented on GitHub (Mar 31, 2025): The issue is then you have to open port 80 every 2 months so the certs can renew. I leave the ports 80 and 443 open and just have a IPS/IDS firewall and make the backend is a different vlan, is not on the same network as your home. On Mon, 31 Mar 2025, 10:40 ryuzaki09, ***@***.***> wrote: > Hey Guys, I think I found a solution. > > The problem is that normally you forward port 443 because you want to use > HTTPS. However, Let's Encrypt cannot find a website that way. The solution > is to temporarily open port 80 for a few minutes to create a new > certificate. After the certificate is created, you can close port 80, and > everything should work fine. > > *Here are the steps:* > > 1. Open port 80. > 2. Test the connection to your server, which you already configured in > NPM when adding an SSL certificate. > 3. Add the SSL certificate. > 4. Assign the SSL certificate to your Proxy Host in NPM. > 5. Close port 80 (only port 443 should remain open). > > Let me know if this works for you! > > this is the same method I use and it works for me too. > > — > Reply to this email directly, view it on GitHub > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324#issuecomment-2765526979>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AN4J7WVIB4UE3ZGIGBYNABT2XD5PPAVCNFSM6AAAAAA7L6IV62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRVGUZDMOJXHE> > . > You are receiving this because you commented.Message ID: > ***@***.***> > [image: ryuzaki09]*ryuzaki09* left a comment > (NginxProxyManager/nginx-proxy-manager#3324) > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324#issuecomment-2765526979> > > Hey Guys, I think I found a solution. > > The problem is that normally you forward port 443 because you want to use > HTTPS. However, Let's Encrypt cannot find a website that way. The solution > is to temporarily open port 80 for a few minutes to create a new > certificate. After the certificate is created, you can close port 80, and > everything should work fine. > > *Here are the steps:* > > 1. Open port 80. > 2. Test the connection to your server, which you already configured in > NPM when adding an SSL certificate. > 3. Add the SSL certificate. > 4. Assign the SSL certificate to your Proxy Host in NPM. > 5. Close port 80 (only port 443 should remain open). > > Let me know if this works for you! > > this is the same method I use and it works for me too. > > — > Reply to this email directly, view it on GitHub > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3324#issuecomment-2765526979>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AN4J7WVIB4UE3ZGIGBYNABT2XD5PPAVCNFSM6AAAAAA7L6IV62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRVGUZDMOJXHE> > . > You are receiving this because you commented.Message ID: > ***@***.***> >

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@rindev0901 commented on GitHub (May 3, 2025):

sudo ufw default allow routed

worked for me

<!-- gh-comment-id:2848479573 --> @rindev0901 commented on GitHub (May 3, 2025):  sudo ufw default allow routed worked for me

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@max866-elephant commented on GitHub (May 6, 2025):

I encountered the same issue. When trying to reissue the SSL Certificate in the SSL tab, I faced an Internal Error. My solution was to delete the /data and /etc/letsencrypt folders and then reconfigure the settings.
Please make sure to back up the folders before deleting them.

<!-- gh-comment-id:2856593516 --> @max866-elephant commented on GitHub (May 6, 2025): I encountered the same issue. When trying to reissue the SSL Certificate in the SSL tab, I faced an Internal Error. My solution was to **delete the /data and /etc/letsencrypt folders** and then reconfigure the settings. **Please make sure to back up the folders before deleting them.**

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@daliborsojic commented on GitHub (Jul 2, 2025):

I got "Internal Error" (very strange). After restarting the npm, nginx doesn't work.

n```
ginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...
nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx-proxy-manager | ❯ Starting nginx ...

It enter in some loop

<!-- gh-comment-id:3027742424 --> @daliborsojic commented on GitHub (Jul 2, 2025): I got "Internal Error" (very strange). After restarting the npm, nginx doesn't work. n``` ginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... nginx-proxy-manager | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-9/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-9/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx-proxy-manager | ❯ Starting nginx ... ``` It enter in some loop

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jan 22, 2026):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3782127647 --> @github-actions[bot] commented on GitHub (Jan 22, 2026): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@prik73 commented on GitHub (Jan 24, 2026):

was facing the same issue "Internal error" in npm .

context: Npm entered a broken state after a LetsEncrypt cert was revoked/deleted.
NPM continued referencing the old cert (npm-4) from its internal SQLite DB, causing nginx to fail: nginx:
errors : [emerg] cannot load certificate \n /etc/letsencrypt/live/npm-4/fullchain.pem

Because of this, deleting /etc/letsencrypt, restarting containers, removing proxy_host configs, or reissuing certs did not resolve the issue, the stale cert reference persisted in /data/database.sqlite

what solved was:
1.stop the docker container of npm
2. Wipe NPM’s bind-mounted state -> "sudo rm -rf /home/ubuntu/npm/data/*"
3. start the container

NPM stores critical state in /data/database.sqlite, so deleting cert files alone is insufficient.
And I learn that, Bind mounts survive container restarts. When NPM references a deleted cert, only a full /data reset fixes it.

ps: after reset, custom Docker networks must be recreated and containers reattached

<!-- gh-comment-id:3794490559 --> @prik73 commented on GitHub (Jan 24, 2026): was facing the same issue "Internal error" in npm . context: Npm entered a broken state after a LetsEncrypt cert was revoked/deleted. NPM continued referencing the old cert (npm-4) from its internal SQLite DB, causing nginx to fail: nginx: errors : [emerg] cannot load certificate \n /etc/letsencrypt/live/npm-4/fullchain.pem Because of this, deleting /etc/letsencrypt, restarting containers, removing proxy_host configs, or reissuing certs did not resolve the issue, the stale cert reference persisted in /data/database.sqlite **what solved was:** 1.stop the docker container of npm 2. Wipe NPM’s bind-mounted state -> "sudo rm -rf /home/ubuntu/npm/data/*" 3. start the container NPM stores critical state in /data/database.sqlite, so deleting cert files alone is insufficient. And I learn that, Bind mounts survive container restarts. When NPM references a deleted cert, only a full /data reset fixes it. ps: after reset, custom Docker networks must be recreated and containers reattached

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@rtorchia commented on GitHub (Jan 30, 2026):

So I started getting the internal error also with attempting renew my certificates for DuckDNS, and nothing, absolutely nothing, that I found as a solution worked for me. Eventually from piecing together what I read online and reviewing log files I found a solution to my problem.
To renew my wildcard domain name (*.mydomain.duckduns.org), I created a proxy for mydomain.duckdns.org with IP address pointing to NPM port 80. This solved all my problems. If anyone continues to have problems, you may want to see if this works for you.

<!-- gh-comment-id:3821282586 --> @rtorchia commented on GitHub (Jan 30, 2026): So I started getting the internal error also with attempting renew my certificates for DuckDNS, and nothing, absolutely nothing, that I found as a solution worked for me. Eventually from piecing together what I read online and reviewing log files I found a solution to my problem. To renew my wildcard domain name (*.mydomain.duckduns.org), I created a proxy for mydomain.duckdns.org with IP address pointing to NPM port 80. This solved all my problems. If anyone continues to have problems, you may want to see if this works for you.

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@jzuhone commented on GitHub (Feb 7, 2026):

This is definitely not resolved, and none of the above methods are working. At the very least there should be a page that describes some common reasons for this issue, wading through all of the above is kind of a mess.

<!-- gh-comment-id:3865642999 --> @jzuhone commented on GitHub (Feb 7, 2026): This is definitely not resolved, and none of the above methods are working. At the very least there should be a page that describes some common reasons for this issue, wading through all of the above is kind of a mess.

kerem commented 2026-02-26 07:34:40 +03:00

Author

Owner

Copy link

@ReenigneArcher commented on GitHub (Feb 8, 2026):

I don't know if anyone has the same cause as me, but I'll share in case it helps someone.

None of the above solutions worked for me, but what did work was restarting my router. At the time there was no other weirdness on my network and this was the only thing that wasn't working properly.

<!-- gh-comment-id:3866011169 --> @ReenigneArcher commented on GitHub (Feb 8, 2026): I don't know if anyone has the same cause as me, but I'll share in case it helps someone. None of the above solutions worked for me, but what did work was restarting my router. At the time there was no other weirdness on my network and this was the only thing that wasn't working properly.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2238

No description provided.