[GH-ISSUE #3778] Cannot get new SSL certificates on Debian 12 with rootless Docker #2486

New issue

Closed

opened 2026-02-26 07:35:44 +03:00 by kerem · 1 comment

kerem commented 2026-02-26 07:35:44 +03:00

Owner

Copy link

Originally created by @TailoredITRob on GitHub (May 27, 2024).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3778

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes (Possible duplicates listed)

Describe the bug
I have a vanilla installation of Debian 12 with rootless Docker and NPM installed. (I also have a container running Portainer.) When I try to enable SSL and add a new certificate, it fails. When I attempt to create a new Let'sEncrypt certificate from the SSL page, it also fails. Additionally, the Server Reachability test also fails with the following error.

There is a server found at this domain but it returned an unexpected status code 502. Is it the NPM server? Please make sure your domain points to the IP where your NPM instance is running.

Of course, NPM is running and I'm accessing NPM through the domain I'm attempting to pull an SSL cert for.

Inspecting the JS console, I find a request going out to http://my.domain.com/api/nginx/certificates/test-http?domains=["my.domain.com"] is failing with the following error.

{
    "error":
        {
            "code":403,
            "message": "Permission Denied"
        },
    "debug":
        {
            "stack":
                [
                    "PermissionError: Permission Denied",
                    "    at /app/lib/access.js:309:13",
                    "    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)",
                    "    at async Object.testHttpsChallenge (/app/internal/certificate.js:1131:3)"
                ],
            "previous":
                {
                    "name": "PermissionError",
                    "message": "Permission Denied",
                    "public": true,
                    "status": 403,
                    "permission": "certificates:list"
                }
        }
}

Attempting to request a new certificate results in a 503 error from http://my.domain.com/api/nginx/certificates with the following message.

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:519:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5)

The indicated log file is never created.

Nginx Proxy Manager Version
2.11.2

To Reproduce
Steps to reproduce the behavior:

1. Perform a clean install of Debian 12.
2. Install docker-ce (rootless).
3. Use the docker-compose.yml file shown below.
4. Log into NPM with default credentials, create a new password.
5. Add a new host for the any domain and attempt to add a new SSL certificate or run a reachability test.

Expected behavior
A reachability test should be completed or a new Let'sEncrypt certificate issued without errors.

Operating System
Debian GNU/Linux 12 (bookworm)

Additional context

services:
  portainer:
    image: 'portainer/portainer-ce:latest'
    restart: unless-stopped
    ports:
      - '127.0.0.1:9443:9443'
    volumes:
      - './storage/data:/data'
      - '/etc/localtime:/etc/localtime:ro'
      # - '/var/run/docker.sock:/var/run/docker.sock'
      - '$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock'

  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
    environment:
      # Mysql/Maria connection parameters:
      DB_MYSQL_HOST: "db"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: "npm"
      DB_MYSQL_PASSWORD: "password"
      DB_MYSQL_NAME: "npm"
      # Uncomment this if IPv6 is not enabled on your host
      DISABLE_IPV6: 'true'
    volumes:
      - './storage/data:/data'
      - './storage/letsencrypt:/etc/letsencrypt'
    depends_on:
      - db

  db:
    image: 'jc21/mariadb-aria:latest'
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: 'rootpassword'
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm'
      MYSQL_PASSWORD: 'password'
      MARIADB_AUTO_UPGRADE: '1'
    volumes:
      - './storage/mysql:/var/lib/mysql'

Possibly related to #2439, #2593, and #2713.

Originally created by @TailoredITRob on GitHub (May 27, 2024). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3778 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes (Possible duplicates listed) **Describe the bug** I have a vanilla installation of Debian 12 with rootless Docker and NPM installed. (I also have a container running Portainer.) When I try to enable SSL and add a new certificate, it fails. When I attempt to create a new Let'sEncrypt certificate from the SSL page, it also fails. Additionally, the Server Reachability test also fails with the following error. There is a server found at this domain but it returned an unexpected status code 502. Is it the NPM server? Please make sure your domain points to the IP where your NPM instance is running. Of course, NPM is running and I'm accessing NPM through the domain I'm attempting to pull an SSL cert for. Inspecting the JS console, I find a request going out to `http://my.domain.com/api/nginx/certificates/test-http?domains=["my.domain.com"]` is failing with the following error. ```json { "error": { "code":403, "message": "Permission Denied" }, "debug": { "stack": [ "PermissionError: Permission Denied", " at /app/lib/access.js:309:13", " at process.processTicksAndRejections (node:internal/process/task_queues:95:5)", " at async Object.testHttpsChallenge (/app/internal/certificate.js:1131:3)" ], "previous": { "name": "PermissionError", "message": "Permission Denied", "public": true, "status": 403, "permission": "certificates:list" } } } ``` Attempting to request a new certificate results in a 503 error from `http://my.domain.com/api/nginx/certificates` with the following message. ``` CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. at /app/lib/utils.js:16:13 at ChildProcess.exithandler (node:child_process:430:5) at ChildProcess.emit (node:events:519:28) at maybeClose (node:internal/child_process:1105:16) at ChildProcess._handle.onexit (node:internal/child_process:305:5) ``` *The indicated log file is never created.* **Nginx Proxy Manager Version** 2.11.2 **To Reproduce** Steps to reproduce the behavior: 1. Perform a clean install of Debian 12. 2. Install docker-ce (rootless). 3. Use the docker-compose.yml file shown below. 4. Log into NPM with default credentials, create a new password. 5. Add a new host for the any domain and attempt to add a new SSL certificate or run a reachability test. **Expected behavior** A reachability test should be completed or a new Let'sEncrypt certificate issued without errors. **Operating System** Debian GNU/Linux 12 (bookworm) **Additional context** ```docker-compose.yml services: portainer: image: 'portainer/portainer-ce:latest' restart: unless-stopped ports: - '127.0.0.1:9443:9443' volumes: - './storage/data:/data' - '/etc/localtime:/etc/localtime:ro' # - '/var/run/docker.sock:/var/run/docker.sock' - '$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock' app: image: 'jc21/nginx-proxy-manager:latest' restart: unless-stopped ports: - '80:80' # Public HTTP Port - '443:443' # Public HTTPS Port - '81:81' # Admin Web Port environment: # Mysql/Maria connection parameters: DB_MYSQL_HOST: "db" DB_MYSQL_PORT: 3306 DB_MYSQL_USER: "npm" DB_MYSQL_PASSWORD: "password" DB_MYSQL_NAME: "npm" # Uncomment this if IPv6 is not enabled on your host DISABLE_IPV6: 'true' volumes: - './storage/data:/data' - './storage/letsencrypt:/etc/letsencrypt' depends_on: - db db: image: 'jc21/mariadb-aria:latest' restart: unless-stopped environment: MYSQL_ROOT_PASSWORD: 'rootpassword' MYSQL_DATABASE: 'npm' MYSQL_USER: 'npm' MYSQL_PASSWORD: 'password' MARIADB_AUTO_UPGRADE: '1' volumes: - './storage/mysql:/var/lib/mysql' ``` Possibly related to #2439, #2593, and #2713.

kerem 2026-02-26 07:35:44 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 07:35:45 +03:00

Author

Owner

Copy link

@TailoredITRob commented on GitHub (Jul 8, 2024):

I finally have this resolved.

I needed to apply the fix from #3121 as shown below.

Create a force-ssl.conf file in the same directory as docker-compose.yml and then add it to your container.

force-ssl.conf

set $test "";
if ($scheme = "http") {
    set $test "H";
}
if ($request_uri ~ "^\/\.well-known\/acme-challenge\/(.*)") {
    set $test "${test}T";
}
if ($test = H) {
    return 301 https://$host$request_uri;
}

docker-compose.yml

services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    environment:
      # Uncomment this if you want to change the location of 
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
      - ./force-ssl.conf:/etc/nginx/conf.d/include/force-ssl.conf   # <~~~~~~~~~~~~~~~

This should resolve the issue until PR #3121 is merged. With this I was getting back Let's Encrypt responses, but they were being denied. After inspecting the logs I realized it was failing a CAA check. (I've used other certificate providers for other subdomains. CAA records limit which CAs may issue certificates for a domain. You may need to add a CAA record for Let's Encrypt.

example.org         CAA 0 issue "letsencrypt.org"         3600

You can learn more about CAA records here.

<!-- gh-comment-id:2213629776 --> @TailoredITRob commented on GitHub (Jul 8, 2024): I finally have this resolved. I needed to apply the fix from #3121 as shown below. Create a `force-ssl.conf` file in the same directory as `docker-compose.yml` and then add it to your container. **force-ssl.conf** ``` set $test ""; if ($scheme = "http") { set $test "H"; } if ($request_uri ~ "^\/\.well-known\/acme-challenge\/(.*)") { set $test "${test}T"; } if ($test = H) { return 301 https://$host$request_uri; } ``` **docker-compose.yml** ``` services: app: image: 'jc21/nginx-proxy-manager:latest' restart: unless-stopped ports: # These ports are in format <host-port>:<container-port> - '80:80' # Public HTTP Port - '443:443' # Public HTTPS Port - '81:81' # Admin Web Port # Add any other Stream port you want to expose # - '21:21' # FTP # Uncomment the next line if you uncomment anything in the section environment: # Uncomment this if you want to change the location of # the SQLite DB file within the container # DB_SQLITE_FILE: "/data/database.sqlite" # Uncomment this if IPv6 is not enabled on your host DISABLE_IPV6: 'true' volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt - ./force-ssl.conf:/etc/nginx/conf.d/include/force-ssl.conf # <~~~~~~~~~~~~~~~ ``` This *should* resolve the issue until PR #3121 is merged. With this I was getting back Let's Encrypt responses, but they were being denied. After inspecting the logs I realized it was failing a CAA check. (I've used other certificate providers for other subdomains. CAA records limit which CAs may issue certificates for a domain. You may need to add a CAA record for Let's Encrypt. example.org CAA 0 issue "letsencrypt.org" 3600 You can learn more about CAA records [here](https://letsencrypt.org/docs/caa/).

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2486

No description provided.