[GH-ISSUE #4288] [BUG] Deleting a certificate without detaching it from the hosts breaks NPM #2760

New issue

Open

opened 2026-02-26 07:36:42 +03:00 by kerem · 5 comments

kerem commented 2026-02-26 07:36:42 +03:00

Owner

Copy link

Originally created by @Grishkaone on GitHub (Jan 10, 2025).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4288

Describe the bug
I use NPM on a Rasberry Pi. Data is stored in 2 volumes: one for /data and another for /etc/letsencrypt.
I have 13 hosts which are all sub-domains of my main domain.
I generate a Let's Encrypt wildcard certificate with a DNS challenge.
All this worked very well.

I recently changed registrar for my domain. Once the migration was completed with the DNS zones up and running, I had to change the method of generating the wildcard certificate (change of API and identifier).

It's not possible to edit this information in NPM. I therefore deleted the certificate, with a view to creating a new one. The deletion was carried out without error. Afterwards, it was impossible to do anything in the back office. I was unlocated and couldn't relocate. I restarted the container, but nothing changed.

There's an error nginx proxy manager nginx: [emerg] cannot load certificate: what I understand is that the 13 hosts that are still attached to the certificate are trying to load it without success since it's no longer there. I no longer have access to the BO to detach hosts from the certificate.

To get back in control, here are the steps I took:

1. Connect to the container console
2. Open /data/nginx/proxy_host/
3. Delete all *.conf files

Then I was able to reconnect to the BO, the hosts are still there, but no certificates are linked to them.
I could set up my new certificate and attach it to each host one by one. The *.conf files were regenerated at this point.

Nginx Proxy Manager Version
2.11.3

To Reproduce
On a configuration with several hosts attached to a wildcard certificate.

1. Open the SSL Certificates tab
2. Click on the menu to the right of the certificate and select Delete.
3. Confirm deletion.
   NPM becomes unusable.

Expected behavior
I can see several solutions.

1. Prohibit deletion of a certificate attached to an active host. Add a warning when deleting the certificate to indicate that x hosts are bound to this certificate and not allow deletion until they have been manually detached.
2. Automate the process. A message similar to solution 1, but indicating that deletion will automatically detach the certificate from each host beforehand, with a checkbox to indicate agreement.

Screenshots
No screenshot, sorry, everything work fine now.

Operating System
Linux 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
Debian version : 11.11

Additional context
I'm in no hurry to reproduce this problem. I'm not in a position to say whether the fact that it's a wildcard certificate is relevant to causing the bug.
There's another solution that I haven't tried: restore the certificates from a backup of the volume, which should work to restore a functional back office.

Originally created by @Grishkaone on GitHub (Jan 10, 2025). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4288 **Describe the bug** I use NPM on a Rasberry Pi. Data is stored in 2 volumes: one for `/data` and another for `/etc/letsencrypt`. I have 13 hosts which are all sub-domains of my main domain. I generate a Let's Encrypt wildcard certificate with a DNS challenge. All this worked very well. I recently changed registrar for my domain. Once the migration was completed with the DNS zones up and running, I had to change the method of generating the wildcard certificate (change of API and identifier). It's not possible to edit this information in NPM. I therefore deleted the certificate, with a view to creating a new one. The deletion was carried out without error. Afterwards, it was impossible to do anything in the back office. I was unlocated and couldn't relocate. I restarted the container, but nothing changed. There's an error `nginx proxy manager nginx: [emerg] cannot load certificate`: what I understand is that the 13 hosts that are still attached to the certificate are trying to load it without success since it's no longer there. I no longer have access to the BO to detach hosts from the certificate. To get back in control, here are the steps I took: 1. Connect to the container console 2. Open `/data/nginx/proxy_host/` 3. Delete all `*.conf` files Then I was able to reconnect to the BO, the hosts are still there, but no certificates are linked to them. I could set up my new certificate and attach it to each host one by one. The `*.conf` files were regenerated at this point. **Nginx Proxy Manager Version** 2.11.3 **To Reproduce** On a configuration with several hosts attached to a wildcard certificate. 1. Open the **SSL Certificates** tab 2. Click on the menu to the right of the certificate and select **Delete**. 3. Confirm deletion. NPM becomes unusable. **Expected behavior** I can see several solutions. 1) **Prohibit deletion of a certificate attached to an active host**. Add a warning when deleting the certificate to indicate that x hosts are bound to this certificate and not allow deletion until they have been manually detached. 2) **Automate the process**. A message similar to solution 1, but indicating that deletion will automatically detach the certificate from each host beforehand, with a checkbox to indicate agreement. **Screenshots** No screenshot, sorry, everything work fine now. **Operating System** Linux 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" Debian version : 11.11 **Additional context** I'm in no hurry to reproduce this problem. I'm not in a position to say whether the fact that it's a wildcard certificate is relevant to causing the bug. There's another solution that I haven't tried: restore the certificates from a backup of the volume, which should work to restore a functional back office.

kerem added the

bug

label 2026-02-26 07:36:42 +03:00

kerem commented 2026-02-26 07:36:42 +03:00

Author

Owner

Copy link

@dogshapedangel commented on GitHub (Feb 14, 2025):

I just ran into this issue as well.

Deleted some certificates from my Let's Encrypt store via the GUI, suddenly the npm-2 certificate was missing and my entire installation was broken. Opted to start from scratch since it had only been spun up a few days ago.

While I'm sure folks don't do this often, this feels like a fairly major issue.

<!-- gh-comment-id:2658088641 --> @dogshapedangel commented on GitHub (Feb 14, 2025): I just ran into this issue as well. Deleted some certificates from my Let's Encrypt store via the GUI, suddenly the npm-2 certificate was missing and my entire installation was broken. Opted to start from scratch since it had only been spun up a few days ago. While I'm sure folks don't do this often, this feels like a fairly major issue.

kerem commented 2026-02-26 07:36:42 +03:00

Author

Owner

Copy link

@szavadschi commented on GitHub (Feb 27, 2025):

I've found a temporary solution to this issue. You can manually edit the configuration file of the affected host. The file is located at data/nginx/proxy_host/xx.conf (replace 'xx' with your Proxy Host #).

Remove the following lines:

listen 443 ssl http2;

and

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-xx/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-xx/privkey.pem;

After removing these lines, simply open the host's configuration in the GUI and click 'Save' without making any other changes. This should resolve the problem. Hopefully, this saves someone else the headache of starting over.

<!-- gh-comment-id:2687058843 --> @szavadschi commented on GitHub (Feb 27, 2025): I've found a temporary solution to this issue. You can manually edit the configuration file of the affected host. The file is located at `data/nginx/proxy_host/xx.conf` (replace 'xx' with your Proxy Host #). Remove the following lines: ``` listen 443 ssl http2; ``` and ``` # Let's Encrypt SSL include conf.d/include/letsencrypt-acme-challenge.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-xx/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-xx/privkey.pem; ``` After removing these lines, simply open the host's configuration in the GUI and click 'Save' without making any other changes. This should resolve the problem. Hopefully, this saves someone else the headache of starting over.

kerem commented 2026-02-26 07:36:42 +03:00

Author

Owner

Copy link

@kilrah commented on GitHub (Mar 25, 2025):

I have found the problem also exists even when the host is not supposed to be using the cert anymore.

• Create a host with LE cert generation
• Change the host to not use SSL, unassign the cert from the host
• Delete the cert
• NPM won't start.

Had to restore the cert from the previous day's backup, delete the host, then remove the cert files again (since it won't appear in the GUI again as it's been marked as deleted in the DB.

Also in general a missing cert should only affect the host, not prevent the whole container from starting.

<!-- gh-comment-id:2750522822 --> @kilrah commented on GitHub (Mar 25, 2025): I have found the problem also exists even when the host is not supposed to be using the cert anymore. - Create a host with LE cert generation - Change the host to not use SSL, unassign the cert from the host - Delete the cert - NPM won't start. Had to restore the cert from the previous day's backup, delete the host, then remove the cert files again (since it won't appear in the GUI again as it's been marked as deleted in the DB. Also in general a missing cert should only affect the host, not prevent the whole container from starting.

kerem commented 2026-02-26 07:36:42 +03:00

Author

Owner

Copy link

@KristopherMackowiak commented on GitHub (Jun 23, 2025):

The bug still persists. Is anyone working on this?

<!-- gh-comment-id:2996195068 --> @KristopherMackowiak commented on GitHub (Jun 23, 2025): The bug still persists. Is anyone working on this?

kerem commented 2026-02-26 07:36:42 +03:00

Author

Owner

Copy link

@gabrielecabrini commented on GitHub (Nov 11, 2025):

I also have the same probem, I've got to manually edit the proxy confs and remove the ssl part referencing old (deleted) certs

<!-- gh-comment-id:3515340838 --> @gabrielecabrini commented on GitHub (Nov 11, 2025): I also have the same probem, I've got to manually edit the proxy confs and remove the ssl part referencing old (deleted) certs

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2760

No description provided.