[GH-ISSUE #4352] Server shows offline when assigned a cert, online without it. #2794

New issue

Open

opened 2026-02-26 07:36:48 +03:00 by kerem · 18 comments

kerem commented 2026-02-26 07:36:48 +03:00

Owner

Copy link

Originally created by @yacob841 on GitHub (Feb 6, 2025).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4352

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

I have 34 Proxy Hosts, 33 of them work correctly, the 1 that does not is Authentik. It works properly as long as I do not assign it a Cert in NPM. If I assign it a Cert, the server shows as offline. To reiterate, when there is no cert assigned I can click on the link in NPM, type in the FQDN in the browser, or the IP:Port and it will load Authentik without a cert. However, if I assign it a cert, then the system shows offline, if I click on the link in NPM or use the FQDN in the browser I get the server isn't responding error. If I type in the IP:Port, then I get to Authentik. And to again, the other 33 that work all have certs assigned and work fine.

Nginx Proxy Manager Version

v2.12.3

To Reproduce
Steps to reproduce the behavior:

1. Add Proxy Host
2. Put IP and Port for Authentic
3. Create the Host and see server is online
4. Edit the Host and add a Cert
5. Save Host and see the server is offline
6. Edit the Host and remove the Cert
7. Confirm the server is back online.

Expected behavior

A server being online or offline should not be determined by if a cert is assigned to it. I am guessing there is some error happening in the background and instead of giving an error it's marking offline.

Screenshots

Operating System

Unraid

Additional context

Unraid 7.0.0
All browsers
Latest NPM, Latest Authentik

Originally created by @yacob841 on GitHub (Feb 6, 2025). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4352 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** <!-- A clear and concise description of what the bug is. --> I have 34 Proxy Hosts, 33 of them work correctly, the 1 that does not is Authentik. It works properly as long as I do not assign it a Cert in NPM. If I assign it a Cert, the server shows as offline. To reiterate, when there is no cert assigned I can click on the link in NPM, type in the FQDN in the browser, or the IP:Port and it will load Authentik without a cert. However, if I assign it a cert, then the system shows offline, if I click on the link in NPM or use the FQDN in the browser I get the server isn't responding error. If I type in the IP:Port, then I get to Authentik. And to again, the other 33 that work all have certs assigned and work fine. **Nginx Proxy Manager Version** <!-- What version of Nginx Proxy Manager is reported on the login page? --> v2.12.3 **To Reproduce** Steps to reproduce the behavior: 1. Add Proxy Host 2. Put IP and Port for Authentic 3. Create the Host and see server is online 4. Edit the Host and add a Cert 5. Save Host and see the server is offline 6. Edit the Host and remove the Cert 7. Confirm the server is back online. **Expected behavior** <!-- A clear and concise description of what you expected to happen. --> A server being online or offline should not be determined by if a cert is assigned to it. I am guessing there is some error happening in the background and instead of giving an error it's marking offline. **Screenshots** <!-- If applicable, add screenshots to help explain your problem. -->    **Operating System** <!-- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error. --> Unraid **Additional context** <!-- Add any other context about the problem here, docker version, browser version, logs if applicable to the problem. Too much info is better than too little. --> Unraid 7.0.0 All browsers Latest NPM, Latest Authentik

kerem added the

bug

label 2026-02-26 07:36:48 +03:00

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@pipsen commented on GitHub (Feb 12, 2025):

Same problem here. New created SSL hosts not working: Host indicated as offline
ERR_SSL_UNRECOGNIZED_NAME_ALERT

<!-- gh-comment-id:2653072770 --> @pipsen commented on GitHub (Feb 12, 2025): Same problem here. New created SSL hosts not working: Host indicated as offline ERR_SSL_UNRECOGNIZED_NAME_ALERT

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@vluzrmos commented on GitHub (Feb 13, 2025):

Same here...

<!-- gh-comment-id:2656546875 --> @vluzrmos commented on GitHub (Feb 13, 2025): Same here... 

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@AlessandroVivoli commented on GitHub (Feb 17, 2025):

Same problem here.

<!-- gh-comment-id:2661878654 --> @AlessandroVivoli commented on GitHub (Feb 17, 2025): Same problem here.

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@GodofPlants commented on GitHub (Feb 17, 2025):

yea exact same issue here.

<!-- gh-comment-id:2661879310 --> @GodofPlants commented on GitHub (Feb 17, 2025): yea exact same issue here.

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@vluzrmos commented on GitHub (Feb 17, 2025):

Has anyone found a solution so far?

<!-- gh-comment-id:2663956341 --> @vluzrmos commented on GitHub (Feb 17, 2025): Has anyone found a solution so far?

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@AlessandroVivoli commented on GitHub (Feb 18, 2025):

Has anyone found a solution so far?

The temporary solution for now is to revert back to 2.12.2, open the database.sqlite file in the /data directory. Execute the following SQL query:

DELETE FROM migrations WHERE id = 17;
UPDATE sqlite_sequence SET seq = 16 WHERE name = 'migrations';

And then restart the app/container.

This removes the 17th migration which is present in the version 2.12.3 but not 2.12.2, and sets the migration sequence (auto_increment) back to 16. This lets the NPM version 2.12.2 run without any errors because of the missing 17th migration js file. Hope this helps.

<!-- gh-comment-id:2664687629 --> @AlessandroVivoli commented on GitHub (Feb 18, 2025): > Has anyone found a solution so far? The temporary solution for now is to revert back to 2.12.2, open the `database.sqlite` file in the `/data` directory. Execute the following SQL query: ```sql DELETE FROM migrations WHERE id = 17; UPDATE sqlite_sequence SET seq = 16 WHERE name = 'migrations'; ``` And then restart the app/container. This removes the 17th migration which is present in the version 2.12.3 but not 2.12.2, and sets the migration sequence (auto_increment) back to 16. This lets the NPM version 2.12.2 run without any errors because of the missing 17th migration js file. Hope this helps.

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@pipsen commented on GitHub (Feb 18, 2025):

I can confirm, that this workaround is working - thank you!

<!-- gh-comment-id:2664828785 --> @pipsen commented on GitHub (Feb 18, 2025): I can confirm, that this workaround is working - thank you!

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@artenais commented on GitHub (May 8, 2025):

Will this be fixed in next release?

<!-- gh-comment-id:2863310220 --> @artenais commented on GitHub (May 8, 2025): Will this be fixed in next release?

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@pipsen commented on GitHub (Jul 1, 2025):

Unfortunately not. I just tested with 2.12.4 and the problem is still in place. I am a little bit surprised, as this bug is blocking the main functionality of NginxProxy.

Any comments?

<!-- gh-comment-id:3021959249 --> @pipsen commented on GitHub (Jul 1, 2025): Unfortunately not. I just tested with 2.12.4 and the problem is still in place. I am a little bit surprised, as this bug is blocking the main functionality of NginxProxy. Any comments?

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@artenais commented on GitHub (Jul 2, 2025):

This is breaking. Can someone upvote this?

<!-- gh-comment-id:3028027101 --> @artenais commented on GitHub (Jul 2, 2025): This is breaking. Can someone upvote this?

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@pipsen commented on GitHub (Jul 9, 2025):

Tested today 2.12.5.. still broken.
I can not understand, why this problem is not fixed? How can other users use this container? It is impossible to create new SSL secured hosts? Can somebody explain to me, how this new images can be used with new hosts?

<!-- gh-comment-id:3053348776 --> @pipsen commented on GitHub (Jul 9, 2025): Tested today 2.12.5.. still broken. I can not understand, why this problem is not fixed? How can other users use this container? It is impossible to create new SSL secured hosts? Can somebody explain to me, how this new images can be used with new hosts?

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@artenais commented on GitHub (Jul 15, 2025):

This worked for me on 2.12.6. Custom certificate.

<!-- gh-comment-id:3072620120 --> @artenais commented on GitHub (Jul 15, 2025): This worked for me on 2.12.6. Custom certificate.

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@pipsen commented on GitHub (Jul 21, 2025):

I just re-deployed and re-installed an brand new 2.12.6 docker installation from scratch on two different servers with two different domains and two different domain providers (selfhost.de and IPv64.net).

=> No chance to create a new host with SSL support. It is broken from 2.12.3 upwards

<!-- gh-comment-id:3095546603 --> @pipsen commented on GitHub (Jul 21, 2025): I just re-deployed and re-installed an brand new 2.12.6 docker installation from scratch on two different servers with two different domains and two different domain providers (selfhost.de and IPv64.net). => No chance to create a new host with SSL support. It is broken from 2.12.3 upwards

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@StarfleetCommander commented on GitHub (Aug 18, 2025):

I deployed 2.12.6 on TrueNAS Scale with same effect, still broken till today.

<!-- gh-comment-id:3196100877 --> @StarfleetCommander commented on GitHub (Aug 18, 2025): I deployed 2.12.6 on TrueNAS Scale with same effect, still broken till today.

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@JohnathonMohr commented on GitHub (Sep 29, 2025):

In case it helps others, I hit this issue too but was able to diagnose and solve it (even on 2.12.6). It turns out my uploaded certificate was getting rejected because the ssl key size was considered too weak for security requirements.

Steps I took

• Enabled debug logging in NPM - created new environment variable DEBUG in docker configuration, set to "true" (though I think any value will work) and restarted the container.
• Edited my proxy host with custom cert assigned and hit save
• Looked at the NPM logs (in Unraid, click the docker container image and then click 'logs')
• Saw an error message from openssl: "ee key too small", which I then searched for online

I had created my certificate with a 1024 bit key (from a guide that I didn't research enough). Turns out the openssl genrsa command uses a 2048 bit key by default if a key size isn't specified, so I recreated my cert with a new 2048 bit key.

After importing this new cert/key pair into NPM, the proxy host is now enabled with SSL using my new, more secure certificate. :)

Not sure where exactly this new requirement comes from (NPM change, new docker image, ...) but a more secure certificate got past this issue for me.

<!-- gh-comment-id:3349193110 --> @JohnathonMohr commented on GitHub (Sep 29, 2025): In case it helps others, I hit this issue too but was able to diagnose and solve it (even on 2.12.6). It turns out my uploaded certificate was getting rejected because the ssl key size was considered too weak for security requirements. ### Steps I took - Enabled debug logging in NPM - created new environment variable `DEBUG` in docker configuration, set to "true" (though I think any value will work) and restarted the container. - Edited my proxy host with custom cert assigned and hit save - Looked at the NPM logs (in Unraid, click the docker container image and then click 'logs') - Saw an error message from `openssl`: "ee key too small", which I then searched for online I had created my certificate with a 1024 bit key (from a guide that I didn't research enough). Turns out the `openssl genrsa` command uses a 2048 bit key by default if a key size isn't specified, so I recreated my cert with a new 2048 bit key. After importing this new cert/key pair into NPM, the proxy host is now enabled with SSL using my new, more secure certificate. :) Not sure where exactly this new requirement comes from (NPM change, new docker image, ...) but a more secure certificate got past this issue for me.

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@StarfleetCommander commented on GitHub (Sep 29, 2025):

@JohnathonMohr Thanks for the insides. I can not confirm right now that this is the same issue on my setup as I temporary switched to Zaroxy. But at least it's not a RSA key size issue for me as the certificates in use are ECC certificates with 384bit secp384r1. But an error log on debug level would be interesting for sure. Maybe there are more key size or algorithm traps inside. Will try to confirm in the next days.

<!-- gh-comment-id:3349284716 --> @StarfleetCommander commented on GitHub (Sep 29, 2025): @JohnathonMohr Thanks for the insides. I can not confirm right now that this is the same issue on my setup as I temporary switched to Zaroxy. But at least it's not a RSA key size issue for me as the certificates in use are ECC certificates with 384bit secp384r1. But an error log on debug level would be interesting for sure. Maybe there are more key size or algorithm traps inside. Will try to confirm in the next days.

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@pipsen commented on GitHub (Oct 2, 2025):

I also tried to analyse with debug log, and I could solve my problem:
I used a custumzed ssl-ciphers file, where I forced my SSL to version 1.3

This worked for old version, but is broken for new versions. I removed my custumized ssl-ciphers file and now it is working

<!-- gh-comment-id:3362278454 --> @pipsen commented on GitHub (Oct 2, 2025): I also tried to analyse with debug log, and I could solve my problem: I used a custumzed ssl-ciphers file, where I forced my SSL to version 1.3 This worked for old version, but is broken for new versions. I removed my custumized ssl-ciphers file and now it is working

kerem commented 2026-02-26 07:36:49 +03:00

Author

Owner

Copy link

@mofakhar commented on GitHub (Oct 9, 2025):

Still having the issue but was able to get it working in my end by executing the following command once inside the container.
This changes the timeout from 10 seconds to 50 seconds.

sed -i 's/10000/50000/g' /app/internal/certificate.js

Do we know when this bug can be fixed?

<!-- gh-comment-id:3385785216 --> @mofakhar commented on GitHub (Oct 9, 2025): Still having the issue but was able to get it working in my end by executing the following command once inside the container. This changes the timeout from 10 seconds to 50 seconds. `sed -i 's/10000/50000/g' /app/internal/certificate.js` Do we know when this bug can be fixed?

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2794

No description provided.