[GH-ISSUE #3624] The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink #2398

New issue

Open

opened 2026-02-26 07:35:25 +03:00 by kerem · 5 comments

kerem commented 2026-02-26 07:35:25 +03:00

Owner

Copy link

Originally created by @Schmandre on GitHub (Mar 12, 2024).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3624

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

Nginx Proxy Manager Version

To Reproduce
Steps to reproduce the behavior:
I really dont know. Was working everythime before. Just after moving from old system to new (files wasnt moved, completly new config) the error occures at every renewalphase.
I fixed with deleting all files and create everything new from zero. But that is very ... shit :)

Expected behavior

Working cert. renew

Screenshots

I like logs more, so here are logs from the error

2024-03-12 08:37:46,405:DEBUG:certbot._internal.main:certbot version: 2.9.0                                                          2024-03-12 08:37:46,406:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot                       2024-03-12 08:37:46,406:DEBUG:certbot._internal.main:Arguments: ['--force-renewal', '--config', '/etc/letsencrypt.ini', '--work-dir'>2024-03-12 08:37:46,406:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntry>2024-03-12 08:37:46,418:DEBUG:certbot._internal.log:Root logging level set at 30
2024-03-12 08:37:46,418:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-2.conf
2024-03-12 08:37:46,419:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
2024-03-12 08:37:46,419:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Skipping.
2024-03-12 08:37:46,420:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 76, in reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/storage.py", line 510, in __init__
    self._check_symlinks()
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/storage.py", line 589, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink

2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user:
Additionally, the following renewal configurations were invalid:
2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/renewal/npm-2.conf (parsefail)
2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - >2024-03-12 08:37:46,420:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 0 renew failure(s), 1 parse failure(s)
2024-03-12 08:37:46,421:ERROR:certbot._internal.log:0 renew failure(s), 1 parse failure(s)

Operating System

Desktop PC System with dedicated hardware

Additional context

Docker compose file

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    # environment:
      # Uncomment this if you want to change the location of
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

Originally created by @Schmandre on GitHub (Mar 12, 2024). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3624 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** <!-- A clear and concise description of what the bug is. --> **Nginx Proxy Manager Version** <!-- What version of Nginx Proxy Manager is reported on the login page? --> **To Reproduce** Steps to reproduce the behavior: I really dont know. Was working everythime before. Just after moving from old system to new (files wasnt moved, completly new config) the error occures at every renewalphase. I fixed with deleting all files and create everything new from zero. But that is very ... shit :) **Expected behavior** <!-- A clear and concise description of what you expected to happen. --> Working cert. renew **Screenshots** <!-- If applicable, add screenshots to help explain your problem. --> I like logs more, so here are logs from the error ``` 2024-03-12 08:37:46,405:DEBUG:certbot._internal.main:certbot version: 2.9.0 2024-03-12 08:37:46,406:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot 2024-03-12 08:37:46,406:DEBUG:certbot._internal.main:Arguments: ['--force-renewal', '--config', '/etc/letsencrypt.ini', '--work-dir'>2024-03-12 08:37:46,406:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntry>2024-03-12 08:37:46,418:DEBUG:certbot._internal.log:Root logging level set at 30 2024-03-12 08:37:46,418:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-2.conf 2024-03-12 08:37:46,419:ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken. 2024-03-12 08:37:46,419:ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink Skipping. 2024-03-12 08:37:46,420:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 76, in reconstitute renewal_candidate = storage.RenewableCert(full_path, config) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/storage.py", line 510, in __init__ self._check_symlinks() File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/storage.py", line 589, in _check_symlinks raise errors.CertStorageError( certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink 2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted. 2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user: Additionally, the following renewal configurations were invalid: 2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/renewal/npm-2.conf (parsefail) 2024-03-12 08:37:46,420:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - >2024-03-12 08:37:46,420:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/certbot/bin/certbot", line 8, in <module> sys.exit(main()) ^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main return config.func(config, plugins) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1642, in renew renewed_domains, failed_domains = renewal.handle_renewal_request(config) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request raise errors.Error( certbot.errors.Error: 0 renew failure(s), 1 parse failure(s) 2024-03-12 08:37:46,421:ERROR:certbot._internal.log:0 renew failure(s), 1 parse failure(s) ```  **Operating System** <!-- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error. --> Desktop PC System with dedicated hardware **Additional context** <!-- Add any other context about the problem here, docker version, browser version, logs if applicable to the problem. Too much info is better than too little. --> Docker compose file ``` version: '3.8' services: app: image: 'jc21/nginx-proxy-manager:latest' restart: unless-stopped ports: # These ports are in format <host-port>:<container-port> - '80:80' # Public HTTP Port - '443:443' # Public HTTPS Port - '81:81' # Admin Web Port # Add any other Stream port you want to expose # - '21:21' # FTP # Uncomment the next line if you uncomment anything in the section # environment: # Uncomment this if you want to change the location of # the SQLite DB file within the container # DB_SQLITE_FILE: "/data/database.sqlite" # Uncomment this if IPv6 is not enabled on your host # DISABLE_IPV6: 'true' volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt ```

kerem added the

bug

label 2026-02-26 07:35:25 +03:00

kerem commented 2026-02-26 07:35:25 +03:00

Author

Owner

Copy link

@feerlessleadr commented on GitHub (Mar 26, 2024):

I'm having this exact same issue. Any luck?

My log is identical to yours

<!-- gh-comment-id:2020608922 --> @feerlessleadr commented on GitHub (Mar 26, 2024): I'm having this exact same issue. Any luck? My log is identical to yours

kerem commented 2026-02-26 07:35:25 +03:00

Author

Owner

Copy link

@daniel-widrick commented on GitHub (May 10, 2024):

The work around for this issue is to simply delete the certs from the interface and then renable ssl on the hosts...

You can rebuild the cert structure manually but ideally this would be handled automatically. It's not unreasonable for these symlinks to get copied as files as part of a backup/migration solution and graceful handling would be nice.

<!-- gh-comment-id:2105201327 --> @daniel-widrick commented on GitHub (May 10, 2024): The work around for this issue is to simply delete the certs from the interface and then renable ssl on the hosts... You can rebuild the cert structure manually but ideally this would be handled automatically. It's not unreasonable for these symlinks to get copied as files as part of a backup/migration solution and graceful handling would be nice.

kerem commented 2026-02-26 07:35:25 +03:00

Author

Owner

Copy link

@dampfhamm3r commented on GitHub (Jun 1, 2024):

I was in the same situation. In my case this issue arised after migrating NPM from a Linux container to a new docker instance.

I've copied all cert.pem/chain.pem/fullchain.pem/privkey.pem from each proxy host to the docker instance.
This messed up the symlinks. I've then created all the needed symlink manually and can now renew the certs without any issues.

For a proxy host npm-4 you need the following:

# ls -lhaF live/npm-4/ | grep ^l
lrwxrwxrwx 1 root root  30 Jun  1 09:28 cert.pem -> ../../archive/npm-4/cert11.pem
lrwxrwxrwx 1 root root  31 Jun  1 09:28 chain.pem -> ../../archive/npm-4/chain11.pem
lrwxrwxrwx 1 root root  35 Jun  1 09:28 fullchain.pem -> ../../archive/npm-4/fullchain11.pem
lrwxrwxrwx 1 root root  33 Jun  1 09:28 privkey.pem -> ../../archive/npm-4/privkey11.pem

The destination file names must contain a number (eg. cert11.pem)! If the symlink points to a file without the number, the renewal will not work.

<!-- gh-comment-id:2143347855 --> @dampfhamm3r commented on GitHub (Jun 1, 2024): I was in the same situation. In my case this issue arised after migrating NPM from a Linux container to a new docker instance. I've copied all cert.pem/chain.pem/fullchain.pem/privkey.pem from each proxy host to the docker instance. This messed up the symlinks. I've then created all the needed symlink manually and can now renew the certs without any issues. For a proxy host `npm-4` you need the following: ``` # ls -lhaF live/npm-4/ | grep ^l lrwxrwxrwx 1 root root 30 Jun 1 09:28 cert.pem -> ../../archive/npm-4/cert11.pem lrwxrwxrwx 1 root root 31 Jun 1 09:28 chain.pem -> ../../archive/npm-4/chain11.pem lrwxrwxrwx 1 root root 35 Jun 1 09:28 fullchain.pem -> ../../archive/npm-4/fullchain11.pem lrwxrwxrwx 1 root root 33 Jun 1 09:28 privkey.pem -> ../../archive/npm-4/privkey11.pem ``` The destination file names must contain a number (eg. cert`11`.pem)! If the symlink points to a file without the number, the renewal will not work.

kerem commented 2026-02-26 07:35:25 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Dec 30, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2564952416 --> @github-actions[bot] commented on GitHub (Dec 30, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:35:25 +03:00

Author

Owner

Copy link

@gautamsi commented on GitHub (Aug 10, 2025):

I was able to get a script using chatgpt, in case someone needs it.

My case was due to restore, the symlinks were gone, running from inside the npm container works or change the script accordingly

#!/bin/bash
set -euo pipefail

LIVE_DIR="/etc/letsencrypt/live"
ARCHIVE_DIR="/etc/letsencrypt/archive"

FILES=("cert.pem" "privkey.pem" "chain.pem" "fullchain.pem")

for live_subdir in "$LIVE_DIR"/*; do
    [ -d "$live_subdir" ] || continue
    folder_name=$(basename "$live_subdir")
    archive_path="$ARCHIVE_DIR/$folder_name"

    if [ ! -d "$archive_path" ]; then
        echo "⚠️ No archive found for: $folder_name — skipping"
        continue
    fi

    echo "Processing $folder_name..."
    for f in "${FILES[@]}"; do
        base_name="${f%.pem}"   # e.g., cert, privkey, chain, fullchain
        pattern="$archive_path/${base_name}[0-9]*.pem"
        latest_file=$(ls -v $pattern 2>/dev/null | tail -n 1)

        if [ -z "$latest_file" ]; then
            echo "  ❌ No files found for $f in $archive_path"
            continue
        fi

        # Compute relative path from live_subdir to latest_file
        rel_path=$(realpath --relative-to="$live_subdir" "$latest_file")

        # Remove old link or file
        rm -f "$live_subdir/$f"
        # Create new relative symlink
        ln -s "$rel_path" "$live_subdir/$f"
        echo "  ✅ Linked $f → $rel_path"
    done
done

echo "Done."

<!-- gh-comment-id:3172875327 --> @gautamsi commented on GitHub (Aug 10, 2025): I was able to get a script using chatgpt, in case someone needs it. My case was due to restore, the symlinks were gone, running from inside the npm container works or change the script accordingly ```sh #!/bin/bash set -euo pipefail LIVE_DIR="/etc/letsencrypt/live" ARCHIVE_DIR="/etc/letsencrypt/archive" FILES=("cert.pem" "privkey.pem" "chain.pem" "fullchain.pem") for live_subdir in "$LIVE_DIR"/*; do [ -d "$live_subdir" ] || continue folder_name=$(basename "$live_subdir") archive_path="$ARCHIVE_DIR/$folder_name" if [ ! -d "$archive_path" ]; then echo "⚠️ No archive found for: $folder_name — skipping" continue fi echo "Processing $folder_name..." for f in "${FILES[@]}"; do base_name="${f%.pem}" # e.g., cert, privkey, chain, fullchain pattern="$archive_path/${base_name}[0-9]*.pem" latest_file=$(ls -v $pattern 2>/dev/null | tail -n 1) if [ -z "$latest_file" ]; then echo " ❌ No files found for $f in $archive_path" continue fi # Compute relative path from live_subdir to latest_file rel_path=$(realpath --relative-to="$live_subdir" "$latest_file") # Remove old link or file rm -f "$live_subdir/$f" # Create new relative symlink ln -s "$rel_path" "$live_subdir/$f" echo " ✅ Linked $f → $rel_path" done done echo "Done." ```

kerem referenced this issue 2026-02-26 08:31:06 +03:00

[PR #2398] Add unofficial Hosting.de DNS provider #3562

kerem referenced this issue 2026-02-26 08:31:47 +03:00

[PR #3696] [CLOSED] Add support for Hosting.de DNS-Provider #3744

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2398

No description provided.