[GH-ISSUE #3861] Renewing Cert - Error #2533

Open
opened 2026-02-26 07:35:55 +03:00 by kerem · 7 comments
Owner

Originally created by @sias32 on GitHub (Jul 8, 2024).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3861

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • No
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug
When trying to autoupdate a certificate, an error appears in the application logs:

[7/8/2024] [11:18:35 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/8/2024] [11:18:35 AM] [SSL      ] › ✖  error     Error: read ECONNRESET 
    at TCP.onStreamRead (node:internal/stream_base_commons:218:20)
    --------------------
    at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48)
    at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25)
    at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18
    at new Promise (<anonymous>)
    at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12)
    at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17)
    at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12)
    at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36)
    at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17)
    at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20)

And on the database side, a warning comes out in the logs:

2024-07-08  8:19:44 136237 [Warning] Aborted connection 136237 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets)
2024-07-08 10:19:53 136716 [Warning] Aborted connection 136716 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets)
2024-07-08 12:20:02 137195 [Warning] Aborted connection 137195 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets)

But at the same time the certificate is renewed, it has an extended date...

Nginx Proxy Manager Version
Using jc21/nginx-proxy-manager:2.11.2

To Reproduce
Steps to reproduce the behavior:

  1. Create a certificate
  2. Wait for certbot to start renewing the certificate automatically
  3. See logs

Expected behavior
Clearly no errors should pop up when updating a certificate

Operating System
Debian 12, Docker. Run in docker swarm

Additional context
If you do the renewal manually, no errors occur

Application environment variables

environment:
  DB_MYSQL_HOST: nginx-db
  DB_MYSQL_NAME: nginx
  DB_MYSQL_PASSWORD__FILE: /run/secrets/nginx-db-pass
  DB_MYSQL_PORT: "3306"
  DB_MYSQL_USER: nginx
Originally created by @sias32 on GitHub (Jul 8, 2024). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3861 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - No - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** When trying to autoupdate a certificate, an error appears in the application logs: ```log [7/8/2024] [11:18:35 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/8/2024] [11:18:35 AM] [SSL ] › ✖ error Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:218:20) -------------------- at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48) at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25) at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18 at new Promise (<anonymous>) at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12) at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17) at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12) at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36) at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17) at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20) ``` And on the database side, a warning comes out in the logs: ```log 2024-07-08 8:19:44 136237 [Warning] Aborted connection 136237 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets) 2024-07-08 10:19:53 136716 [Warning] Aborted connection 136716 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets) 2024-07-08 12:20:02 137195 [Warning] Aborted connection 137195 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets) ``` But at the same time the certificate is renewed, it has an extended date... **Nginx Proxy Manager Version** Using jc21/nginx-proxy-manager:2.11.2 **To Reproduce** Steps to reproduce the behavior: 1. Create a certificate 2. Wait for certbot to start renewing the certificate automatically 3. See logs **Expected behavior** Clearly no errors should pop up when updating a certificate **Operating System** Debian 12, Docker. Run in docker swarm **Additional context** If you do the renewal manually, no errors occur Application environment variables ```yaml environment: DB_MYSQL_HOST: nginx-db DB_MYSQL_NAME: nginx DB_MYSQL_PASSWORD__FILE: /run/secrets/nginx-db-pass DB_MYSQL_PORT: "3306" DB_MYSQL_USER: nginx ```
Author
Owner

@sias32 commented on GitHub (Jul 10, 2024):

After upgrading to 2.11.3, the error remains

<!-- gh-comment-id:2220949918 --> @sias32 commented on GitHub (Jul 10, 2024): After upgrading to 2.11.3, the error remains
Author
Owner

@sias32 commented on GitHub (Jul 11, 2024):

This doesn't happen with all certificates, some update without problems, it's hard to figure out which ones yet

[7/11/2024] [4:50:08 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/11/2024] [4:50:08 AM] [SSL      ] › ✖  error     Error: read ECONNRESET 
    at TCP.onStreamRead (node:internal/stream_base_commons:218:20)
    --------------------
    at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48)
    at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25)
    at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18
    at new Promise (<anonymous>)
    at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12)
    at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17)
    at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12)
    at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36)
    at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17)
    at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20)
[7/11/2024] [5:50:08 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/11/2024] [5:50:08 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process
<!-- gh-comment-id:2222220027 --> @sias32 commented on GitHub (Jul 11, 2024): This doesn't happen with all certificates, some update without problems, it's hard to figure out which ones yet ```log [7/11/2024] [4:50:08 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/11/2024] [4:50:08 AM] [SSL ] › ✖ error Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:218:20) -------------------- at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48) at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25) at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18 at new Promise (<anonymous>) at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12) at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17) at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12) at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36) at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17) at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20) [7/11/2024] [5:50:08 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/11/2024] [5:50:08 AM] [SSL ] › ℹ info Completed SSL cert renew process ```
Author
Owner

@sias32 commented on GitHub (Jul 12, 2024):

I created a test service, on the latest version 2.11.3

There are three domains on it, leading to one service whoami, for each of them access list was created. The first one is completely open, the second one is closed under authorization and the third one is limited by addresses. At first everything was ok, but after a day errors started to appear

[7/12/2024] [1:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [1:05:56 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process
[7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[7/12/2024] [2:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [2:05:56 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process
[7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[7/12/2024] [2:05:56 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -t -g "error_log off;"
[7/12/2024] [2:05:56 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[7/12/2024] [2:05:56 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -s reload
[7/12/2024] [3:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [3:05:56 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process
[7/12/2024] [4:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [4:05:56 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process
[7/12/2024] [5:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [5:05:56 AM] [SSL      ] › ✖  error     Error: read ECONNRESET 
    at TCP.onStreamRead (node:internal/stream_base_commons:218:20)
    --------------------
    at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48)
    at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25)
    at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18
    at new Promise (<anonymous>)
    at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12)
    at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17)
    at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12)
    at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36)
    at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17)
    at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20)
<!-- gh-comment-id:2224851742 --> @sias32 commented on GitHub (Jul 12, 2024): I created a test service, on the latest version 2.11.3 There are three domains on it, leading to one service whoami, for each of them access list was created. The first one is completely open, the second one is closed under authorization and the third one is limited by addresses. At first everything was ok, but after a day errors started to appear ```log [7/12/2024] [1:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [1:05:56 AM] [SSL ] › ℹ info Completed SSL cert renew process [7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... [7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json [7/12/2024] [2:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [2:05:56 AM] [SSL ] › ℹ info Completed SSL cert renew process [7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 [7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 [7/12/2024] [2:05:56 AM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t -g "error_log off;" [7/12/2024] [2:05:56 AM] [Nginx ] › ℹ info Reloading Nginx [7/12/2024] [2:05:56 AM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -s reload [7/12/2024] [3:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [3:05:56 AM] [SSL ] › ℹ info Completed SSL cert renew process [7/12/2024] [4:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [4:05:56 AM] [SSL ] › ℹ info Completed SSL cert renew process [7/12/2024] [5:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [5:05:56 AM] [SSL ] › ✖ error Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:218:20) -------------------- at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48) at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25) at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18 at new Promise (<anonymous>) at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12) at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17) at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12) at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36) at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17) at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20) ```
Author
Owner

@jo-pouradier commented on GitHub (Nov 4, 2024):

Hello got same issue, which DNS are you using ? If its cloudflare, desactivate cloudflare proxy (test but wait a few minutes), get your ssl certs and put cloudlfare proxy again.
Otherwise for other DNS use nslookup <your_domain> and verify its your ip.

<!-- gh-comment-id:2454819156 --> @jo-pouradier commented on GitHub (Nov 4, 2024): Hello got same issue, which DNS are you using ? If its cloudflare, desactivate cloudflare proxy (test but wait a few minutes), get your ssl certs and put cloudlfare proxy again. Otherwise for other DNS use nslookup <your_domain> and verify its your ip.
Author
Owner

@sias32 commented on GitHub (Mar 27, 2025):

@jo-pouradier No, I don't use it. It's interesting that everything works

<!-- gh-comment-id:2758414116 --> @sias32 commented on GitHub (Mar 27, 2025): @jo-pouradier No, I don't use it. It's interesting that everything works
Author
Owner

@Silicon51 commented on GitHub (May 21, 2025):

So, there's a chance that you have my case: both piHole and NPM as docker containers.
Due to some weird behavior of DNS resolver NPM container do not have access to internet so cannot request for cert.
For me it log errors like Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')': /simple/cloudflare/
Also I have error Failed to check the reachability due to a communication error with site24x7.com nginx proxy when in version 2.12.3 I use option "Test Server Reachability" from tab SSL Certificates.
How to solve it?
add following to your NPM docker compose:

dns:
  - 172.19.0.4 <<pihole IP adress>>
  - 1.1.1.1
  - 8.8.8.8
<!-- gh-comment-id:2899527325 --> @Silicon51 commented on GitHub (May 21, 2025): So, there's a chance that you have my case: both piHole and NPM as docker containers. Due to some weird behavior of DNS resolver NPM container do not have access to internet so cannot request for cert. For me it log errors like `Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')': /simple/cloudflare/` Also I have error `Failed to check the reachability due to a communication error with site24x7.com nginx proxy` when in version 2.12.3 I use option "Test Server Reachability" from tab SSL Certificates. How to solve it? add following to your NPM docker compose: dns: - 172.19.0.4 <<pihole IP adress>> - 1.1.1.1 - 8.8.8.8
Author
Owner

@github-actions[bot] commented on GitHub (Nov 23, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3567389882 --> @github-actions[bot] commented on GitHub (Nov 23, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#2533
No description provided.