[GH-ISSUE #5301] Getting Internal Error When Creating Certificate ECDSA 256 Key Type With Cloudflare #3164

New issue

Closed

opened 2026-02-26 07:38:00 +03:00 by kerem · 13 comments

kerem commented 2026-02-26 07:38:00 +03:00

Owner

Copy link

Originally created by @YTKme on GitHub (Feb 12, 2026).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/5301

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

Nginx Proxy Manager Version

Version: v2.13.7

To Reproduce
Steps to reproduce the behavior:

1. Navigate to the Certificates section.
2. Select Add Certificate → Let's Encrypt via DNS from the dropdown on the right.
3. On the Add Let's Encrypt via DNS dialog
   • Enter the Domain Name
   • Select ECDSA 256 for the Key Type
   • Select Cloudflare for the DNS Provider
   • Enter the correct API Token for Credentials File Content
4. Clicked Save

Expected behavior

After saving, expect the certificate to be created. (This works fine with RSA 2048).

Screenshots

Operating System

Linux, Debian

Additional context

Getting the following error in log

Error:

[2/12/2026] [3:59:21 PM] [Express  ] › ⚠  warning   nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-20/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Originally created by @YTKme on GitHub (Feb 12, 2026). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/5301 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** <!-- A clear and concise description of what the bug is. --> **Nginx Proxy Manager Version** <!-- What version of Nginx Proxy Manager is reported on the login page? --> Version: v2.13.7 **To Reproduce** Steps to reproduce the behavior: 1. Navigate to the **Certificates** section. 2. Select **Add Certificate** &rarr; **Let's Encrypt via DNS** from the dropdown on the right. 3. On the **Add Let's Encrypt via DNS** dialog - Enter the **Domain Name** - Select **ECDSA 256** for the **Key Type** - Select **Cloudflare** for the **DNS Provider** - Enter the correct API Token for **Credentials File Content** 4. Clicked **Save** **Expected behavior** <!-- A clear and concise description of what you expected to happen. --> After saving, expect the certificate to be created. (This works fine with RSA 2048). **Screenshots** <!-- If applicable, add screenshots to help explain your problem. --> <img width="1100" height="1038" alt="Image" src="https://github.com/user-attachments/assets/9ca16c5f-d9da-4729-b9fc-8f34ba073fd2" /> **Operating System** <!-- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error. --> Linux, Debian **Additional context** <!-- Add any other context about the problem here, docker version, browser version, logs if applicable to the problem. Too much info is better than too little. --> Getting the following error in log Error: ```text [2/12/2026] [3:59:21 PM] [Express ] › ⚠ warning nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-20/fullchain.pem, r) error:10000080:BIO routines::no such file) nginx: configuration file /etc/nginx/nginx.conf test failed ```

kerem 2026-02-26 07:38:00 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@YTKme commented on GitHub (Feb 13, 2026):

I tried restarting the container, but seem to be getting a repeating of the following error

❯ Starting nginx ...
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-20/fullchain.pem, r) error:10000080:BIO routines::no such file)
❯ Starting nginx ...
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-20/fullchain.pem, r) error:10000080:BIO routines::no such file)

<!-- gh-comment-id:3895355847 --> @YTKme commented on GitHub (Feb 13, 2026): I tried restarting the container, but seem to be getting a repeating of the following error ```text ❯ Starting nginx ... nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-20/fullchain.pem, r) error:10000080:BIO routines::no such file) ❯ Starting nginx ... nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/npm-20/fullchain.pem, r) error:10000080:BIO routines::no such file) ```

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@SpasovskiFilip commented on GitHub (Feb 13, 2026):

I get the same message 'Internal Error' when I try to add a proxy host. Either via cloudflare ssl or a local network generated certificate

I get this error in the Nginx Proxy Manager logs

[10:42:15 PM] [Express ] › ⚠ warning insert into `proxy_host` (`access_list_id`, `advanced_config`, `allow_websocket_upgrade`, `block_exploits`, `caching_enabled`, `certificate_id`, `created_on`, `domain_names`, `forward_host`, `forward_port`, `forward_scheme`, `hsts_enabled`, `hsts_subdomains`, `http2_support`, `locations`, `meta`, `modified_on`, `owner_user_id`, `ssl_forced`) values (0, '', 1, 1, 1, '6', NOW(), '["my.domain.com"]', '192.168.31.206', 8265, 'http', 1, 1, 1, '[]', '{}', NOW(), 1, 1) - SQLITE_ERROR: no such function: NOW 

P.S. I'm using v2.13.7

<!-- gh-comment-id:3899678796 --> @SpasovskiFilip commented on GitHub (Feb 13, 2026): I get the same message 'Internal Error' when I try to add a proxy host. Either via cloudflare ssl or a local network generated certificate I get this error in the Nginx Proxy Manager logs ``` [10:42:15 PM] [Express ] › ⚠ warning insert into `proxy_host` (`access_list_id`, `advanced_config`, `allow_websocket_upgrade`, `block_exploits`, `caching_enabled`, `certificate_id`, `created_on`, `domain_names`, `forward_host`, `forward_port`, `forward_scheme`, `hsts_enabled`, `hsts_subdomains`, `http2_support`, `locations`, `meta`, `modified_on`, `owner_user_id`, `ssl_forced`) values (0, '', 1, 1, 1, '6', NOW(), '["my.domain.com"]', '192.168.31.206', 8265, 'http', 1, 1, 1, '[]', '{}', NOW(), 1, 1) - SQLITE_ERROR: no such function: NOW ``` P.S. I'm using v2.13.7

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@YTKme commented on GitHub (Feb 14, 2026):

I dug a little deeper, it like there are some inconsistency between database and the let's encrypt certificates? When I am starting the container, I realized it was trying to look for a certificate that's already deleted?

<!-- gh-comment-id:3902099297 --> @YTKme commented on GitHub (Feb 14, 2026): I dug a little deeper, it like there are some inconsistency between database and the let's encrypt certificates? When I am starting the container, I realized it was trying to look for a certificate that's already deleted?

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@SpasovskiFilip commented on GitHub (Feb 15, 2026):

I dug a little deeper, it like there are some inconsistency between database and the let's encrypt certificates? When I am starting the container, I realized it was trying to look for a certificate that's already deleted?

Don't know if this might help you, but it helped me.
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/5284#issuecomment-3867877807

<!-- gh-comment-id:3903453791 --> @SpasovskiFilip commented on GitHub (Feb 15, 2026): > I dug a little deeper, it like there are some inconsistency between database and the let's encrypt certificates? When I am starting the container, I realized it was trying to look for a certificate that's already deleted? Don't know if this might help you, but it helped me. https://github.com/NginxProxyManager/nginx-proxy-manager/issues/5284#issuecomment-3867877807

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@YTKme commented on GitHub (Feb 15, 2026):

I dug a little deeper, it like there are some inconsistency between database and the let's encrypt certificates? When I am starting the container, I realized it was trying to look for a certificate that's already deleted?

Don't know if this might help you, but it helped me. #5284 (comment)

hi @SpasovskiFilip, thank you for the info, i'll give it a try, but not sure where to find the config JSON file.

<!-- gh-comment-id:3903549960 --> @YTKme commented on GitHub (Feb 15, 2026): > > I dug a little deeper, it like there are some inconsistency between database and the let's encrypt certificates? When I am starting the container, I realized it was trying to look for a certificate that's already deleted? > > Don't know if this might help you, but it helped me. [#5284 (comment)](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/5284#issuecomment-3867877807) hi @SpasovskiFilip, thank you for the info, i'll give it a try, but not sure where to find the config JSON file.

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@SpasovskiFilip commented on GitHub (Feb 15, 2026):

hi @SpasovskiFilip, thank you for the info, i'll give it a try, but not sure where to find the config JSON file.

I host my NPM via docker, so mine is in the root folder.

Here is my docker volume mapping.
It's called production.json in the NPM.

<!-- gh-comment-id:3903573957 --> @SpasovskiFilip commented on GitHub (Feb 15, 2026): > > hi @SpasovskiFilip, thank you for the info, i'll give it a try, but not sure where to find the config JSON file. I host my NPM via docker, so mine is in the root folder. Here is my docker volume mapping. It's called production.json in the NPM. 

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@YTKme commented on GitHub (Feb 15, 2026):

hi @SpasovskiFilip, thank you for the info, i'll give it a try, but not sure where to find the config JSON file.

I host my NPM via docker, so mine is in the root folder.

Here is my docker volume mapping. It's called production.json in the NPM.

hmmm, i don't see porduction.json? Is it sqlite-test-db.json?

[root@docker-a13e87e84c83:/app]# cd config/
[root@docker-a13e87e84c83:/app/config]# ls -al
total 20
drwxr-xr-x 2 root root 4096 Feb  5 21:12 .
drwxr-xr-x 1 root root 4096 Feb  5 21:25 ..
-rw-r--r-- 1 root root   87 Feb  5 21:12 README.md
-rw-r--r-- 1 root root  144 Feb  5 21:12 default.json
-rw-r--r-- 1 root root  678 Feb  5 21:12 sqlite-test-db.json
[root@docker-a13e87e84c83:/app/config]#

<!-- gh-comment-id:3903589804 --> @YTKme commented on GitHub (Feb 15, 2026): > > hi [@SpasovskiFilip](https://github.com/SpasovskiFilip), thank you for the info, i'll give it a try, but not sure where to find the config JSON file. > > I host my NPM via docker, so mine is in the root folder. > > Here is my docker volume mapping. It's called production.json in the NPM.  hmmm, i don't see `porduction.json`? Is it `sqlite-test-db.json`? ```shell [root@docker-a13e87e84c83:/app]# cd config/ [root@docker-a13e87e84c83:/app/config]# ls -al total 20 drwxr-xr-x 2 root root 4096 Feb 5 21:12 . drwxr-xr-x 1 root root 4096 Feb 5 21:25 .. -rw-r--r-- 1 root root 87 Feb 5 21:12 README.md -rw-r--r-- 1 root root 144 Feb 5 21:12 default.json -rw-r--r-- 1 root root 678 Feb 5 21:12 sqlite-test-db.json [root@docker-a13e87e84c83:/app/config]# ```

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@SpasovskiFilip commented on GitHub (Feb 15, 2026):

hmmm, i don't see porduction.json? Is it sqlite-test-db.json?

Could be, either that. Or the default.json
Dont know what's in that.

<!-- gh-comment-id:3903749943 --> @SpasovskiFilip commented on GitHub (Feb 15, 2026): >hmmm, i don't see porduction.json? Is it sqlite-test-db.json? Could be, either that. Or the default.json Dont know what's in that.

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@YTKme commented on GitHub (Feb 15, 2026):

hmmm, i don't see porduction.json? Is it sqlite-test-db.json?

Could be, either that. Or the default.json Dont know what's in that.

don't think is default.json

{
  "database": {
    "engine": "mysql2",
    "host": "db",
    "name": "npm",
    "user": "npm",
    "password": "npm",
    "port": 3306
  }
}

<!-- gh-comment-id:3903854627 --> @YTKme commented on GitHub (Feb 15, 2026): > > hmmm, i don't see porduction.json? Is it sqlite-test-db.json? > > Could be, either that. Or the default.json Dont know what's in that. don't think is `default.json` ```json { "database": { "engine": "mysql2", "host": "db", "name": "npm", "user": "npm", "password": "npm", "port": 3306 } } ```

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@BartD-Y commented on GitHub (Feb 15, 2026):

I have this setup (by default) with the "better-sqlite3", but still the same error on both ECDSA 256 and RSA 2048.

{
  "database": {
    "engine": "knex-native",
    "knex": {
      "client": "better-sqlite3",
      "connection": {
        "filename": "/data/database.sqlite"
      },
      "useNullAsDefault": true
    }
  }
}

<!-- gh-comment-id:3903918619 --> @BartD-Y commented on GitHub (Feb 15, 2026): I have this setup (by default) with the "better-sqlite3", but still the same error on both ECDSA 256 and RSA 2048. ``` { "database": { "engine": "knex-native", "knex": { "client": "better-sqlite3", "connection": { "filename": "/data/database.sqlite" }, "useNullAsDefault": true } } } ```

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@YTKme commented on GitHub (Feb 15, 2026):

I have this setup (by default) with the "better-sqlite3", but still the same error on both ECDSA 256 and RSA 2048.

{
  "database": {
    "engine": "knex-native",
    "knex": {
      "client": "better-sqlite3",
      "connection": {
        "filename": "/data/database.sqlite"
      },
      "useNullAsDefault": true
    }
  }
}

This is interesting, I switched mine over to better-sqlite3 and they seem to work for me? I am using Cloudflare. Maybe there's a deeper root cause. Do you know what error your log is giving?

<!-- gh-comment-id:3904899489 --> @YTKme commented on GitHub (Feb 15, 2026): > I have this setup (by default) with the "better-sqlite3", but still the same error on both ECDSA 256 and RSA 2048. > > ``` > { > "database": { > "engine": "knex-native", > "knex": { > "client": "better-sqlite3", > "connection": { > "filename": "/data/database.sqlite" > }, > "useNullAsDefault": true > } > } > } > ``` This is interesting, I switched mine over to `better-sqlite3` and they seem to work for me? I am using Cloudflare. Maybe there's a deeper root cause. Do you know what error your log is giving?

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@SpasovskiFilip commented on GitHub (Feb 15, 2026):

I too use cloudflare... If that's any help

Edit:
Also I don't know if the is related or not, but I got 6 emails in the past 3 days from cloudflare titled Your domain or one of its subdomains has been issued a new SSL/TLS certificate

I usually get one of these emails every 3 months....

<!-- gh-comment-id:3905181544 --> @SpasovskiFilip commented on GitHub (Feb 15, 2026): I too use cloudflare... If that's any help Edit: Also I don't know if the is related or not, but I got 6 emails in the past 3 days from cloudflare titled `Your domain or one of its subdomains has been issued a new SSL/TLS certificate` I usually get one of these emails every 3 months....

kerem commented 2026-02-26 07:38:00 +03:00

Author

Owner

Copy link

@SpasovskiFilip commented on GitHub (Feb 15, 2026):

I have this setup (by default) with the "better-sqlite3", but still the same error on both ECDSA 256 and RSA 2048.

{
  "database": {
    "engine": "knex-native",
    "knex": {
      "client": "better-sqlite3",
      "connection": {
        "filename": "/data/database.sqlite"
      },
      "useNullAsDefault": true
    }
  }
}

For me I don't have the "useNullAsCode" line

{
  "database": {
    "engine": "knex-native",
    "knex": {
      "client": "better-sqlite3",
      "connection": {
        "filename": "/data/database.sqlite"
      }
    }
  }
}

<!-- gh-comment-id:3905188960 --> @SpasovskiFilip commented on GitHub (Feb 15, 2026): > I have this setup (by default) with the "better-sqlite3", but still the same error on both ECDSA 256 and RSA 2048. > > ``` > { > "database": { > "engine": "knex-native", > "knex": { > "client": "better-sqlite3", > "connection": { > "filename": "/data/database.sqlite" > }, > "useNullAsDefault": true > } > } > } > ``` For me I don't have the "useNullAsCode" line ``` { "database": { "engine": "knex-native", "knex": { "client": "better-sqlite3", "connection": { "filename": "/data/database.sqlite" } } } } ```

kerem referenced this issue 2026-02-26 08:31:30 +03:00

[PR #3194] [MERGED] certbot-dns-tencentcloud should be 2.0.2 or above. #3667

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#3164

No description provided.