[GH-ISSUE #4239] Cannot change ownership of files under /etc/letsencrypt/live/npm-1 after restarting OR tearing down and recreating container #2740

New issue

Open

opened 2026-02-26 07:36:39 +03:00 by kerem · 3 comments

kerem commented 2026-02-26 07:36:39 +03:00

Owner

Copy link

Originally created by @jaysee260 on GitHub (Dec 16, 2024).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4239

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

I am setting up Nginx Proxy Manager for the very first time. I create my own SSL cert using LetsEncrypt.

The very first time I started the container, everything worked; I was able to login, register proxy hosts, etc.

However, whenever if I tear down and recreate the container, the process inside the container seems to be unable to access the cert files in /etc/letsencrypt/live/npm-1.

I am using docker compose on Debian 12, and here's what I see in the logs whenever I restart or recreate the container.

2024-12-16 18:48:51 ❯ Configuring npm user ...
2024-12-16 18:48:51 ❯ Configuring npm group ...
2024-12-16 18:48:51 ❯ Checking paths ...
2024-12-16 18:48:51 ❯ Setting ownership ...
2024-12-16 18:48:51 useradd warning: npm's uid 0 outside of the UID_MIN 1000 and UID_MAX 60000 range.
2024-12-16 18:48:51 chown: changing ownership of '/etc/letsencrypt/live/npm-1/chain.pem': Operation not permitted
2024-12-16 18:48:51 chown: changing ownership of '/etc/letsencrypt/live/npm-1/cert.pem': Operation not permitted
2024-12-16 18:48:51 chown: changing ownership of '/etc/letsencrypt/live/npm-1/fullchain.pem': Operation not permitted
2024-12-16 18:48:51 chown: changing ownership of '/etc/letsencrypt/live/npm-1/privkey.pem': Operation not permitted
2024-12-16 18:48:51 s6-rc: warning: unable to start service prepare: command exited 1
2024-12-16 18:48:51 /run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.

This makes it so that I can't login to the admin page.

Here's my docker-compose config for the service:

networks:
  proxy-net:
    name: proxy-net
    external: true

services:
  nginx-manager:
    image: 'jc21/nginx-proxy-manager:latest'
    container_name: nginx-manager
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - ${HOME}/docker-data/nginx/data:/data:rw
      - ${HOME}/docker-data/nginx/letsencrypt:/etc/letsencrypt:rw
    networks:
      - proxy-net

If I tear down EVERYTHING and start fresh, meaning... recreating an admin user, recreating an SSL cert, re-adding my proxy hosts, etc, then it works. But, of course, I'd like to avoid having to do this every time!

Is it something around the mounted volume's permissions? I've been scratching my head at this for a few hours, if anyone has any insight into what the problem might be, or how to fix it, I'd greatly appreciate it!

Nginx Proxy Manager Version

2.12.1

Expected behavior

Since I am using a mounted volume to store the nginx manager data and my SSL cert on my host machine, I would expected to be able to tear down the container and spin up a new one as many times, and still be able to login and re-use the cert I created.

Operating System

Debian 12

Originally created by @jaysee260 on GitHub (Dec 16, 2024). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4239 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** <!-- A clear and concise description of what the bug is. --> I am setting up Nginx Proxy Manager for the very first time. I create my own SSL cert using LetsEncrypt. The very first time I started the container, everything worked; I was able to login, register proxy hosts, etc. However, whenever if I tear down and recreate the container, the process inside the container seems to be unable to access the cert files in `/etc/letsencrypt/live/npm-1`. I am using docker compose on Debian 12, and here's what I see in the logs whenever I restart or recreate the container. ```sh 2024-12-16 18:48:51 ❯ Configuring npm user ... 2024-12-16 18:48:51 ❯ Configuring npm group ... 2024-12-16 18:48:51 ❯ Checking paths ... 2024-12-16 18:48:51 ❯ Setting ownership ... 2024-12-16 18:48:51 useradd warning: npm's uid 0 outside of the UID_MIN 1000 and UID_MAX 60000 range. 2024-12-16 18:48:51 chown: changing ownership of '/etc/letsencrypt/live/npm-1/chain.pem': Operation not permitted 2024-12-16 18:48:51 chown: changing ownership of '/etc/letsencrypt/live/npm-1/cert.pem': Operation not permitted 2024-12-16 18:48:51 chown: changing ownership of '/etc/letsencrypt/live/npm-1/fullchain.pem': Operation not permitted 2024-12-16 18:48:51 chown: changing ownership of '/etc/letsencrypt/live/npm-1/privkey.pem': Operation not permitted 2024-12-16 18:48:51 s6-rc: warning: unable to start service prepare: command exited 1 2024-12-16 18:48:51 /run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information. ``` This makes it so that I can't login to the admin page. Here's my docker-compose config for the service: ```yml networks: proxy-net: name: proxy-net external: true services: nginx-manager: image: 'jc21/nginx-proxy-manager:latest' container_name: nginx-manager restart: unless-stopped ports: - '80:80' - '81:81' - '443:443' volumes: - ${HOME}/docker-data/nginx/data:/data:rw - ${HOME}/docker-data/nginx/letsencrypt:/etc/letsencrypt:rw networks: - proxy-net ``` If I tear down EVERYTHING and start fresh, meaning... recreating an admin user, recreating an SSL cert, re-adding my proxy hosts, etc, then it works. But, of course, I'd like to avoid having to do this every time! Is it something around the mounted volume's permissions? I've been scratching my head at this for a few hours, if anyone has any insight into what the problem might be, or how to fix it, I'd greatly appreciate it! **Nginx Proxy Manager Version** <!-- What version of Nginx Proxy Manager is reported on the login page? --> `2.12.1` **Expected behavior** <!-- A clear and concise description of what you expected to happen. --> Since I am using a mounted volume to store the nginx manager data and my SSL cert on my host machine, I would expected to be able to tear down the container and spin up a new one as many times, and still be able to login and re-use the cert I created. **Operating System** <!-- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error. --> Debian 12

kerem added the

stale

bug

labels 2026-02-26 07:36:39 +03:00

kerem commented 2026-02-26 07:36:39 +03:00

Author

Owner

Copy link

@jaysee260 commented on GitHub (Dec 17, 2024):

Can confirm than I don't even have to tear down the container for this to happen... simply stopping it and restarting causes the issue to start happening!

<!-- gh-comment-id:2547456646 --> @jaysee260 commented on GitHub (Dec 17, 2024): Can confirm than I don't even have to tear down the container for this to happen... simply stopping it and restarting causes the issue to start happening!

kerem commented 2026-02-26 07:36:39 +03:00

Author

Owner

Copy link

@sonpeter88 commented on GitHub (Dec 17, 2024):

having the same issue...
there's already an open issue
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4205

<!-- gh-comment-id:2547531307 --> @sonpeter88 commented on GitHub (Dec 17, 2024): having the same issue... there's already an open issue https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4205

kerem commented 2026-02-26 07:36:39 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jun 24, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2998544937 --> @github-actions[bot] commented on GitHub (Jun 24, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2740

No description provided.