[GH-ISSUE #3861] Renewing Cert - Error #2533

New issue

Open

opened 2026-02-26 07:35:55 +03:00 by kerem · 7 comments

kerem commented 2026-02-26 07:35:55 +03:00

Owner

Copy link

Originally created by @sias32 on GitHub (Jul 8, 2024).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3861

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • No
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
When trying to autoupdate a certificate, an error appears in the application logs:

[7/8/2024] [11:18:35 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/8/2024] [11:18:35 AM] [SSL      ] › ✖  error     Error: read ECONNRESET 
    at TCP.onStreamRead (node:internal/stream_base_commons:218:20)
    --------------------
    at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48)
    at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25)
    at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18
    at new Promise (<anonymous>)
    at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12)
    at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17)
    at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12)
    at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36)
    at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17)
    at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20)

And on the database side, a warning comes out in the logs:

2024-07-08  8:19:44 136237 [Warning] Aborted connection 136237 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets)
2024-07-08 10:19:53 136716 [Warning] Aborted connection 136716 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets)
2024-07-08 12:20:02 137195 [Warning] Aborted connection 137195 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets)

But at the same time the certificate is renewed, it has an extended date...

Nginx Proxy Manager Version
Using jc21/nginx-proxy-manager:2.11.2

To Reproduce
Steps to reproduce the behavior:

1. Create a certificate
2. Wait for certbot to start renewing the certificate automatically
3. See logs

Expected behavior
Clearly no errors should pop up when updating a certificate

Operating System
Debian 12, Docker. Run in docker swarm

Additional context
If you do the renewal manually, no errors occur

Application environment variables

environment:
  DB_MYSQL_HOST: nginx-db
  DB_MYSQL_NAME: nginx
  DB_MYSQL_PASSWORD__FILE: /run/secrets/nginx-db-pass
  DB_MYSQL_PORT: "3306"
  DB_MYSQL_USER: nginx

Originally created by @sias32 on GitHub (Jul 8, 2024). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3861 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - No - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** When trying to autoupdate a certificate, an error appears in the application logs: ```log [7/8/2024] [11:18:35 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/8/2024] [11:18:35 AM] [SSL ] › ✖ error Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:218:20) -------------------- at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48) at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25) at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18 at new Promise (<anonymous>) at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12) at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17) at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12) at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36) at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17) at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20) ``` And on the database side, a warning comes out in the logs: ```log 2024-07-08 8:19:44 136237 [Warning] Aborted connection 136237 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets) 2024-07-08 10:19:53 136716 [Warning] Aborted connection 136716 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets) 2024-07-08 12:20:02 137195 [Warning] Aborted connection 137195 to db: 'nginx' user: 'nginx' host: '10.0.4.4' (Got an error reading communication packets) ``` But at the same time the certificate is renewed, it has an extended date... **Nginx Proxy Manager Version** Using jc21/nginx-proxy-manager:2.11.2 **To Reproduce** Steps to reproduce the behavior: 1. Create a certificate 2. Wait for certbot to start renewing the certificate automatically 3. See logs **Expected behavior** Clearly no errors should pop up when updating a certificate **Operating System** Debian 12, Docker. Run in docker swarm **Additional context** If you do the renewal manually, no errors occur Application environment variables ```yaml environment: DB_MYSQL_HOST: nginx-db DB_MYSQL_NAME: nginx DB_MYSQL_PASSWORD__FILE: /run/secrets/nginx-db-pass DB_MYSQL_PORT: "3306" DB_MYSQL_USER: nginx ```

kerem added the

stale

bug

labels 2026-02-26 07:35:55 +03:00

kerem commented 2026-02-26 07:35:56 +03:00

Author

Owner

Copy link

@sias32 commented on GitHub (Jul 10, 2024):

After upgrading to 2.11.3, the error remains

<!-- gh-comment-id:2220949918 --> @sias32 commented on GitHub (Jul 10, 2024): After upgrading to 2.11.3, the error remains

kerem commented 2026-02-26 07:35:56 +03:00

Author

Owner

Copy link

@sias32 commented on GitHub (Jul 11, 2024):

This doesn't happen with all certificates, some update without problems, it's hard to figure out which ones yet

[7/11/2024] [4:50:08 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/11/2024] [4:50:08 AM] [SSL      ] › ✖  error     Error: read ECONNRESET 
    at TCP.onStreamRead (node:internal/stream_base_commons:218:20)
    --------------------
    at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48)
    at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25)
    at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18
    at new Promise (<anonymous>)
    at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12)
    at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17)
    at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12)
    at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36)
    at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17)
    at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20)
[7/11/2024] [5:50:08 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/11/2024] [5:50:08 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process

<!-- gh-comment-id:2222220027 --> @sias32 commented on GitHub (Jul 11, 2024): This doesn't happen with all certificates, some update without problems, it's hard to figure out which ones yet ```log [7/11/2024] [4:50:08 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/11/2024] [4:50:08 AM] [SSL ] › ✖ error Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:218:20) -------------------- at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48) at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25) at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18 at new Promise (<anonymous>) at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12) at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17) at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12) at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36) at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17) at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20) [7/11/2024] [5:50:08 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/11/2024] [5:50:08 AM] [SSL ] › ℹ info Completed SSL cert renew process ```

kerem commented 2026-02-26 07:35:56 +03:00

Author

Owner

Copy link

@sias32 commented on GitHub (Jul 12, 2024):

I created a test service, on the latest version 2.11.3

There are three domains on it, leading to one service whoami, for each of them access list was created. The first one is completely open, the second one is closed under authorization and the third one is limited by addresses. At first everything was ok, but after a day errors started to appear

[7/12/2024] [1:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [1:05:56 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process
[7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[7/12/2024] [2:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [2:05:56 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process
[7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[7/12/2024] [2:05:56 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -t -g "error_log off;"
[7/12/2024] [2:05:56 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[7/12/2024] [2:05:56 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -s reload
[7/12/2024] [3:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [3:05:56 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process
[7/12/2024] [4:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [4:05:56 AM] [SSL      ] › ℹ  info      Completed SSL cert renew process
[7/12/2024] [5:05:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[7/12/2024] [5:05:56 AM] [SSL      ] › ✖  error     Error: read ECONNRESET 
    at TCP.onStreamRead (node:internal/stream_base_commons:218:20)
    --------------------
    at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48)
    at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25)
    at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18
    at new Promise (<anonymous>)
    at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12)
    at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17)
    at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12)
    at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36)
    at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17)
    at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20)

<!-- gh-comment-id:2224851742 --> @sias32 commented on GitHub (Jul 12, 2024): I created a test service, on the latest version 2.11.3 There are three domains on it, leading to one service whoami, for each of them access list was created. The first one is completely open, the second one is closed under authorization and the third one is limited by addresses. At first everything was ok, but after a day errors started to appear ```log [7/12/2024] [1:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [1:05:56 AM] [SSL ] › ℹ info Completed SSL cert renew process [7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... [7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json [7/12/2024] [2:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [2:05:56 AM] [SSL ] › ℹ info Completed SSL cert renew process [7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 [7/12/2024] [2:05:56 AM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 [7/12/2024] [2:05:56 AM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t -g "error_log off;" [7/12/2024] [2:05:56 AM] [Nginx ] › ℹ info Reloading Nginx [7/12/2024] [2:05:56 AM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -s reload [7/12/2024] [3:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [3:05:56 AM] [SSL ] › ℹ info Completed SSL cert renew process [7/12/2024] [4:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [4:05:56 AM] [SSL ] › ℹ info Completed SSL cert renew process [7/12/2024] [5:05:56 AM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [7/12/2024] [5:05:56 AM] [SSL ] › ✖ error Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:218:20) -------------------- at Protocol._enqueue (/app/node_modules/mysql/lib/protocol/Protocol.js:144:48) at Connection.query (/app/node_modules/mysql/lib/Connection.js:198:25) at /app/node_modules/knex/lib/dialects/mysql/index.js:132:18 at new Promise (<anonymous>) at Client_MySQL._query (/app/node_modules/knex/lib/dialects/mysql/index.js:126:12) at executeQuery (/app/node_modules/knex/lib/execution/internal/query-executioner.js:37:17) at Client_MySQL.query (/app/node_modules/knex/lib/client.js:146:12) at Runner.query (/app/node_modules/knex/lib/execution/runner.js:123:36) at ensureConnectionCallback (/app/node_modules/knex/lib/execution/internal/ensure-connection-callback.js:13:17) at Runner.ensureConnection (/app/node_modules/knex/lib/execution/runner.js:300:20) ```

kerem commented 2026-02-26 07:35:56 +03:00

Author

Owner

Copy link

@jo-pouradier commented on GitHub (Nov 4, 2024):

Hello got same issue, which DNS are you using ? If its cloudflare, desactivate cloudflare proxy (test but wait a few minutes), get your ssl certs and put cloudlfare proxy again.
Otherwise for other DNS use nslookup <your_domain> and verify its your ip.

<!-- gh-comment-id:2454819156 --> @jo-pouradier commented on GitHub (Nov 4, 2024): Hello got same issue, which DNS are you using ? If its cloudflare, desactivate cloudflare proxy (test but wait a few minutes), get your ssl certs and put cloudlfare proxy again. Otherwise for other DNS use nslookup <your_domain> and verify its your ip.

kerem commented 2026-02-26 07:35:56 +03:00

Author

Owner

Copy link

@sias32 commented on GitHub (Mar 27, 2025):

@jo-pouradier No, I don't use it. It's interesting that everything works

<!-- gh-comment-id:2758414116 --> @sias32 commented on GitHub (Mar 27, 2025): @jo-pouradier No, I don't use it. It's interesting that everything works

kerem commented 2026-02-26 07:35:56 +03:00

Author

Owner

Copy link

@Silicon51 commented on GitHub (May 21, 2025):

So, there's a chance that you have my case: both piHole and NPM as docker containers.
Due to some weird behavior of DNS resolver NPM container do not have access to internet so cannot request for cert.
For me it log errors like Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')': /simple/cloudflare/
Also I have error Failed to check the reachability due to a communication error with site24x7.com nginx proxy when in version 2.12.3 I use option "Test Server Reachability" from tab SSL Certificates.
How to solve it?
add following to your NPM docker compose:

dns:
  - 172.19.0.4 <<pihole IP adress>>
  - 1.1.1.1
  - 8.8.8.8

<!-- gh-comment-id:2899527325 --> @Silicon51 commented on GitHub (May 21, 2025): So, there's a chance that you have my case: both piHole and NPM as docker containers. Due to some weird behavior of DNS resolver NPM container do not have access to internet so cannot request for cert. For me it log errors like `Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')': /simple/cloudflare/` Also I have error `Failed to check the reachability due to a communication error with site24x7.com nginx proxy` when in version 2.12.3 I use option "Test Server Reachability" from tab SSL Certificates. How to solve it? add following to your NPM docker compose: dns: - 172.19.0.4 <<pihole IP adress>> - 1.1.1.1 - 8.8.8.8

kerem commented 2026-02-26 07:35:56 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Nov 23, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3567389882 --> @github-actions[bot] commented on GitHub (Nov 23, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2533

No description provided.