mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2026-04-25 17:35:52 +03:00
[GH-ISSUE #396] Internal Error trying to renew cert #338
Labels
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/nginx-proxy-manager-NginxProxyManager#338
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @AnonJervis on GitHub (May 4, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/396
I was trying to renew my cert running version 2.2.1 and the following error popped up:
I tried restarting the container to renew again and the log shows:
I decided to update to latest and the problem persists, so I completely deleted my npm container and it's data and start a whole new instance. However, I still cannot renew and now my SSL cert expired the moment I tried registering. This is not my only webserver trying to renew SSL and its happening to my other ones as well. I've tried creating with sub.subdomain.duckdns.org and it registered fine. Here is my log after starting everything fresh:
Could this be possible bug in the latest update? Could it be my domain has already been registered with let's encrypted before, I cannot re-register a new one when I start a new container?
@erikalm commented on GitHub (May 6, 2020):
I had a similar issue and fixed it by deleting the certificate that was having issues in "SSL Certificates" tab and requested the certificate again. Before you try this you might want to backup the database and configuration files just in case.
@kizza42 commented on GitHub (May 8, 2020):
I'm having this issue as well, tried restarting the container and clearing out the certificates that keep failing ( I only set this up for the 1st time yesterday). I can't get it to work
When I request I get an error
Then I see the errors in the log like @AnonJervis
If I navigate to SSL Certificates page, I can see an entry still but it wont work
@CorySanin commented on GitHub (May 11, 2020):
I'm having the same issue as well. Renewing manually times out and deleting then re-adding the cert gives "internal error".
@Indemnity83 commented on GitHub (May 11, 2020):
@kizza42 and @CorySanin I believe the "internal error" notifications may be fixed in PR #407
@CorySanin commented on GitHub (May 11, 2020):
switched my existing Docker container over to
jc21/nginx-proxy-manager:github-pr-407and I'm still getting "internal error" when manually renewing or adding a new certificate.Actually, a couple of them were able to renew. But most don't. But the ones that renewed probably would have worked before switching to the tag for the pr.
@Indemnity83 commented on GitHub (May 11, 2020):
Are the ones that are failing linked to hosts that have an applied access list?
If so does removing the access list allow it to succeed?
Lastly, can you post the log from the npm container?
@CorySanin commented on GitHub (May 11, 2020):
I have some with and without access lists, and the ones without are also failing. But looking at the logs I see
Another instance of Certbot is already running.I think what I'm experiencing is certbot hangs on one of the certs and then everything else fails. Which doesn't seem like the original issue, I don't think. So if I continue to see this I might open up a new issue.@kizza42 commented on GitHub (May 11, 2020):
My log after I restart the container:
Those broken files:
/etc/letsencrypt/renewal/npm-3.conf are just empty
So I removed them all and restarted container and tried to create a cert only:
And /var/log/letsencrypt/letsencrypt.log
@jc21 commented on GitHub (May 20, 2020):
Firstly, the error in the issue at the top says that the challenge has failed. This would be due to you asking for a cert for
mywebsite.comthat doesn't have dns pointing to your setup.I doubt any of this has anything to do with access lists.
The missing files make me think that maybe the
dataand/orletsencryptfolders aren't mounted properly. Please paste yourdocker-compose.ymlto be sure.@kizza42 commented on GitHub (May 20, 2020):
Thankyou for the help @jc21
Here is my compose file:
@pantherale0 commented on GitHub (May 25, 2020):
Also experiencing this issue. From the logs:
[5/25/2020] [6:42:02 PM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-1" --agree-tos --email "[EMAIL ADDRESS]" --preferred-challenges "dns,http" --webroot --domains "[DOMAIN]" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for [DOMAIN] Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains. Waiting for verification... Challenge failed for domain [DOMAIN] http-01 challenge for [DOMAIN] Cleaning up challenges Some challenges have failed.At first thought this was due to a bad install or something, so have a complete clean install and experiencing this. Checked DNS settings, all records are pointing to the correct IP and also checked firewall rules (not that any of these have changed recently).
Interestingly this worked fine a week ago.
@Xinil commented on GitHub (May 27, 2020):
Also experiencing an
Internal Errorwhen I attempt to perform a certificate renewal, or when the certbot attempts for me. letsencrypt.log:My docker-compose.yml
The volumes exist, I have files in the folder '2f1011068b45be8e10e11180c968b254' it describes as a permission issue. Latest v2.2.4.
Any help is appreciated.
@Xinil commented on GitHub (Jun 10, 2020):
Pretty bummed there's no direction on how to resolve this. Anyone thinking about going the manual certificate renewal route? Sounds like a pain, but this is debilitating for my network communication :(
@OuticNZ commented on GitHub (Jun 20, 2020):
My certificates are coming up for renewal and it's failing as well. 20 days before they start expiring. Any guidance on how to resolve?
@Kipjr commented on GitHub (Jul 5, 2020):
Time-consuming workaround for me is:
docker exec -it docker-nginx-proxy_app_1 /bin/bashcertbot certonly --manual --preferred-challenges=dns -m MY@EMAIL.COM --agree-tos -d YOUR_DOMAIN.TLDGo to your DNS-settings of your Domain and add the following record:
name: __acme-challenge
type: TXT
ttl: 1hr
data: The code generated by certbot
wait 5 minutes and press enter in your CLI to verify your domain
Exit the container and go to ./letsencrypt/ and retrieve the cert and cert key.
Go to the Manager and http://192.168.1.100:81/nginx/certificates and add a custom certificate by uploading those files.
@trankillity commented on GitHub (Jul 9, 2020):
Would love an update on this very crippling bug, or be pointed in the direction of the last Docker tag that didn't have this.
@Tsunami2056 commented on GitHub (Jul 9, 2020):
I don't know if it will help, but I ended up giving up. And going to another docker solution that supports dns challenges. Once you configure it is 100% automatic (and also doesn't need you to have your http port open).
Perhaps this could be something to explore for the future of NPM.
@Xinil commented on GitHub (Jul 10, 2020):
I also gave up and moved completely away from Nginx Proxy Manager. Had great success for a year or so, but this SSL issue is crippling. It took me 1hr to install Caddy2 and replicate everything I had.
@dialanothernumb commented on GitHub (Jul 10, 2020):
which solution did you go for in the end @Xinil and @Tsunami2056 ?
@Tsunami2056 commented on GitHub (Jul 10, 2020):
I ended up setting up linuxserver's letsencrypt docker, a little more manual, but supports dns challenges with API plugins for alot of providers. And all is also automated.
If ever at one point there's dns challenging that's automated in npm, I would probably switch back though, it's still alot easier.
@trankillity commented on GitHub (Jul 10, 2020):
Funnily enough, the non-official docker image of NPM works totally fine - so I just started using that.
@dfmckay commented on GitHub (Jul 31, 2020):
It looks like there was a change in the way the certs were written. New certs are written as root vs the uid specified in the docker setup, also the keys that are located in the live directory are now symlinks. I think these issues are the main cause of the errors
My fix was to edit each domain, go into the ssl tab and request a new cert. After that I deleted the old certs in the ssl certificates tab. This didn't get rid of the old conf files, so I opened a shell (I'm using portainer) then ran 'certbot renew' this will give you a list of bad conf files. Then I went to '/etc/letsencrypt/renewal' and deleted the conf files that were giving me errors. To see if it worked I reran 'certbot renew'. The messages came back as skipped which is what I should see.
@janoxakes commented on GitHub (Sep 23, 2020):
Does anybody know what is the latest image that does not have this issue? All my certs are already expired and none of the workarounds worked for me (or I didn't understand them). The non-official package does not work on ARM, so no RPi support.
@Kipjr commented on GitHub (Oct 3, 2020):
Two things:
I'm using v2.5.0 and I might have a workaround:
cleared all entries in the MariaDB-database/npm/certificate
delete all certificates in /etc/letsencrypt/
check firewall to have an open port 80 and port-foward to this docker container. Make sure no other ports are using these.
@swingstate commented on GitHub (Oct 29, 2020):
Installed NPM through docker compose a few days ago and have been able to setup the proxy & to get a LetsEncrypt certificate.
Now, a few days later I cannot get any more certificates and I can see exceptions in the logs. When I try to renew a cert I get an internal error.
Removed the whole container and the db, reinstalled with new folders for letsencrypt and config, tried with a new subdomain and still the same issue.
Port 80 and 443 are forwarded to the docker host and access to a jellyfin server (also a container) through HTTP works.
I can also ping acme-v02.api.letsencrypt.org from the host and get an IpV6 reply. Exposing the host to the internet without a firewall in between also didn't help.
What I understand from the log is, that there seem to be connection errors. However, the host can access
@jc21 can you help narrowing this down?
Below the logs from within portainer after I reinstalled the container.
my docker-compose:
@Vinestou commented on GitHub (Nov 25, 2020):
I have this exact same problem. I keep getting an error. I have two instances: one local and one on a vps. vps has no problems. Which logs should i add for info?
@Kipjr commented on GitHub (Nov 25, 2020):
Please put them in the same docker network (or expose the port of db )
@Vinestou commented on GitHub (Nov 25, 2020):
Shouldnt docker-compose do that automatically (putting them in the same network)?
@Snipe3000 commented on GitHub (Apr 14, 2021):
Has anyone found a solution for this? I have letsencrypt running through NGINX PROXY MANAGER and I'm seeing the same issues in my logs. It just wont give me certs.
@Tragyn commented on GitHub (Apr 14, 2021):
Same issue here. It was working before, now it's not. No change in configuration.
@techc0de commented on GitHub (Apr 19, 2021):
Hi,
I having the same issue with v2.8.1
Any solution for this yet ?
@Snipe3000 commented on GitHub (Apr 19, 2021):
I never found one, so I skipped letsencrypt and I'm using cloudflare certs instead.
@ibracorp commented on GitHub (May 4, 2021):
Best way to go in my opinion. Hence why I did a video on it.
@helio58 commented on GitHub (Jun 14, 2021):
Please could you share the video? Thanks
@ayk33 commented on GitHub (Jul 12, 2021):
Any updates on this?
@julesrulez96 commented on GitHub (Jul 15, 2021):
i m still not able to renew the cert, i force a new cert over the "Edit Proxy Host" menu, then click on SSL-tab and click "Request a new cert" - that worked for me
@postmaster11 commented on GitHub (Jul 30, 2021):
Got the same issue... I have 4 proxy-hosts, only one is unable to get a new certificate. Finally ended up in NGINX logs where I found that NGINX is not able to fire up the webserver for verification (cannot bind IP-address to port 80).
After comparing this NPM container with another one, I found that I changed the Docker-network from 172.... to 10.10.0.0. It's possible that I changed this after deploying the first proxy-host. I guess the old IP or subnet is still somewhere in NGINX configfiles - does somebody have an idea where? I'm not really used with NGINX...
@mwip commented on GitHub (Sep 19, 2021):
Today, I stumbled over the above described errors. I found something else: NPM says the certificates expire today, but visiting the sites reveals and checking in the browser reveals that the certificates are still valid a few weeks or even months... Strange. Maybe it is just wrongly stored in the database?
@Gieter15 commented on GitHub (Oct 10, 2021):
Found the solution. Steps I took:
Hopefully I'm helping someone out there.
@mastan30 commented on GitHub (Jan 26, 2022):
I am still facing this error for creating the Certificate too. This is the error I am seeing, can some one help please?
@LeducH commented on GitHub (Jan 28, 2022):
How to resolve this issue?
@jeb-de commented on GitHub (Feb 2, 2022):
For me it was a problem with Access Lists.
After changing the "Access" of my proxy host to "Publicly Accessible", I was able to renew the Let's encrypt certificate
@Gh0stRocket commented on GitHub (Feb 9, 2022):
For those who get an Internal Error while trying to renew certs and have this or a similar error message in their logs:
Try this https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1816#issuecomment-1030841719
@cptskippy commented on GitHub (Mar 24, 2022):
@LeducH I was able to resolve the problem through the UI.
After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.
@oneil1838 commented on GitHub (Jun 9, 2022):
I found a solution to get a renewal.
) open portainer (if you use it, I use it on every docker maschine)
) navigate to "Containers"-> select the ">_" at the npm container
) navigate with the console to "cd /letsencrypt/live/npm-1"
) run "ln -s cert.pem cert2.pem"
) open NPM -> "SSL Ceritifcates" and try to renew one. This was the solution for me... only the cert in the first "npm-" -folder need a symlink and than the manual renew works. I don't have a cert what will stop working in the next days so I cant test the auto renewal yet.
) mayby a reboot of the nginx service helps to push the new cert
I hope this will help you guys too.
@SydDean commented on GitHub (Nov 18, 2022):
For me this was happening to one specific proxy so I knew it must be down to something special about this host. Checked myself several times, protocol correct, ip correct, port correct. Anyway it was my bad. Although I had DNS setup correctly to point the domain to NGinxPM, I also had a left over NAT rule on my firewall that was forwarding incoming directly to the original machine, not NPM. So could be worth checking your firewall to make sure you've not done something as dumb as I did.
@cptskippy commented on GitHub (Nov 18, 2022):
I wish it were that simple. I have a half dozen domains on a single IP going to multiple servers. If I had a NAT rule wrong then only one of those servers would be remotely accessible.
@Elwyr commented on GitHub (Jan 16, 2023):
I don't know if it's the same error, but I can't renew some certs (not sure why some are affected and some are not) unless I turn off all the SSL settings in the proxy host. Turn off force SSL, turn off HTTP/2, turn off HSTS. Go to certs and renew works, then I have to go back and turn all that back on. Not a great solution.
@D3B453R commented on GitHub (Jan 23, 2023):
I have the same issue. Can't renew specific certs unless I've turned all the SSL settings off. I could provide my logs later that day. Tested it on just one host that was failing, still plenty of hosts to test it. :D
@D3B453R commented on GitHub (Jan 23, 2023):
Tested it now on a few hosts, I have to disable the "Force SSL" under SSL-Settings to renew my certs. When I don't disable it I'll get the "internal error" with the following logs on version 2.9.19:
letsencrypt.log.txt
`2023-01-23 14:59:03,971:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/197593605707 HTTP/1.1" 200 805
2023-01-23 14:59:03,972:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 23 Jan 2023 14:59:03 GMT
Content-Type: application/json
Content-Length: 805
Connection: keep-alive
Boulder-Requester: 286501160
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: CENSORED
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "my.domain.tld"
},
"status": "pending",
"expires": "2023-01-30T14:58:59Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/197593605707/FAxihQ",
"token": "CENSORED"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/197593605707/EcSxMg",
"token": "CENSORED"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/197593605707/NKSXIA",
"token": "CENSORED"
}
]
}
2023-01-23 14:59:03,972:DEBUG:acme.client:Storing nonce: CENSORED
2023-01-23 14:59:06,974:DEBUG:acme.client:JWS payload:
b''
2023-01-23 14:59:06,975:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/197593605707:
{
"protected": "CENSORED",
"signature": "CENSORED",
"payload": ""
}
2023-01-23 14:59:07,128:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/197593605707 HTTP/1.1" 200 1857
2023-01-23 14:59:07,128:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 23 Jan 2023 14:59:07 GMT
Content-Type: application/json
Content-Length: 1857
Connection: keep-alive
Boulder-Requester: 286501160
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: CENSORED
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "my.domain.tld"
},
"status": "invalid",
"expires": "2023-01-30T14:58:59Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "MY-IP: Fetching https://my.domain.tld/.well-known/acme-challenge/CENSORED: Error getting validation data",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/197593605707/FAxihQ",
"token": "CENSORED",
"validationRecord": [
{
"url": "http://my.domain.tld/.well-known/acme-challenge/CENSORED",
"hostname": "my.domain.tld",
"port": "80",
"addressesResolved": [
"MY-IP",
"MY-IP-V6"
],
"addressUsed": "MY-IP-V6"
},
{
"url": "http://my.domain.tld/.well-known/acme-challenge/CENSORED",
"hostname": "my.domain.tld",
"port": "80",
"addressesResolved": [
"MY-IP",
"MY-IP-V6"
],
"addressUsed": "MY-IP"
},
{
"url": "https://my.domain.tld/.well-known/acme-challenge/CENSORED",
"hostname": "my.domain.tld",
"port": "443",
"addressesResolved": [
"MY-IP",
"MY-IP-V6"
],
"addressUsed": "MY-IP-V6"
}
],
"validated": "2023-01-23T14:58:59Z"
}
]
}
2023-01-23 14:59:07,128:DEBUG:acme.client:Storing nonce: CENSORED
2023-01-23 14:59:07,129:INFO:certbot._internal.auth_handler:Challenge failed for domain my.domain.tld
2023-01-23 14:59:07,129:INFO:certbot._internal.auth_handler:http-01 challenge for my.domain.tld
2023-01-23 14:59:07,129:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: my.domain.tld
Type: connection
Detail: MY-IP: Fetching https://my.domain.tld/.well-known/acme-challenge/CENSORED: Error getting validation data
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
2023-01-23 14:59:07,129:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-01-23 14:59:07,129:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-01-23 14:59:07,129:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-01-23 14:59:07,129:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/CENSORED
2023-01-23 14:59:07,130:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-01-23 14:59:07,130:ERROR:certbot._internal.renewal:Failed to renew certificate npm-59 with error: Some challenges have failed.
2023-01-23 14:59:07,131:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 484, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1541, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 344, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-01-23 14:59:07,131:DEBUG:certbot._internal.display.obj:Notifying user:
2023-01-23 14:59:07,131:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2023-01-23 14:59:07,131:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/npm-59/fullchain.pem (failure)
2023-01-23 14:59:07,131:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-01-23 14:59:07,131:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1744, in main
return config.func(config, plugins)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1630, in renew
renewal.handle_renewal_request(config)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 511, in handle_renewal_request
f"{len(renew_failures)} renew failure(s), {len(parse_failures)} parse failure(s)")
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2023-01-23 14:59:07,131:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)
`
@kmanwar89 commented on GitHub (Jan 28, 2023):
+1 as someone else experiencing this error - I've been flooded with renewal emails from LetsEncrypt, and it seems the certs don't auto renew...
Fortunately, it was only 2 or 3 certs so I manually deleted them and re-requested them without issues. Is there any workaround identified?
The logs I get are the below, and seem to be continuous:
@EDIflyer commented on GitHub (Feb 22, 2023):
Same issue here - just had 10 renewal notices this morning - it had been working fine and now none have renewed. @jc21 or anyone else, any word on a fix for this? It's getting to be a fairly major issue and is quite frustrating to have to keep recreating all the certs every month!
@romeolazar commented on GitHub (Mar 20, 2023):
Yes, indeed. The issue is still present in the latest version. The only option is to delete and request a new certificate. Hope for a fix. THANK YOU.
@momoirodouhu commented on GitHub (Mar 26, 2023):
In my case, this issue was solved by deleting the IPv6 address from the DNS record.
@abdros commented on GitHub (Apr 10, 2023):
I had the same issue and solved it by adding a DNS CAA record for the HOST.MYDOMAIN.TLD and setting letsencrypt.org as an authorized certificate provider (I use EasyDNS).
What made me think of this was an email that letsencrypt had sent some time ago regarding this soon-to-come requirement from DNS providers.
Nginx Proxy Manager v2.7.1
Hope this helps others.
@EDIflyer commented on GitHub (Apr 10, 2023):
Sadly I don't think that's an option for my DNS provider. The thing is it used to work fine and the issue seems to be around https being enforced even for the LetsEncrypt check so I'm hoping it's sortable in the code...
@abdros commented on GitHub (Apr 10, 2023):
I do not know if it helps, but I had the "Force SSL" option selected in npm, and it worked. I do not know either if all DNS providers are enforcing the CAA requirement. I wish you good luck.
@EDIflyer commented on GitHub (Apr 10, 2023):
Yep it seems intermittent - when it stopped working I found if I switch that off it seems to work again obtaining certs, but at present both servers have SSL certs far enough away it's not trying to renew them yet
@kaffeepause07 commented on GitHub (Aug 27, 2023):
"Force SSL" option was the problem on my site.
Fixed it by changing the force ssl config file.
The force ssl file works with this settings:
Get this fixe from this site: https://community.alarmiator.de/t/lets-encrypt-zertifikat-wird-von-nginx-proxy-manager-nicht-aktualisiert/380/3
@D3B453R commented on GitHub (Aug 27, 2023):
This works for me. I was already thinking about an alternative for npm.
Thank you.
P.S. vielen Dank für die Lösung, die Kaffeepause haben Sie sich definitiv verdient. ;)
@EDIflyer commented on GitHub (Aug 27, 2023):
Yep - see the PR I did a few weeks ago - https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121 - has been fine for me since then too.
@Orko79 commented on GitHub (Mar 21, 2024):
This worked for me too! Just replaced the original file with the one from the link (of course after making a backup ;-) ) Vielen Dank und immer frischen, guten Kaffee!
@EDIflyer commented on GitHub (Mar 21, 2024):
Yep - for any not comfortable with making changes themselves, see the PR above I did that made those changes ;)
@abalgo commented on GitHub (Oct 13, 2024):
For me, the problem was different. I've executed the certbot directly in the nginxproxymanager docker container and the problem was more explicit:
ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken
ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink. Skipping.
So I've simply copied the files in ../../archive/npm-3 (actually it was not necessary because the files were already there with the name cert3.pem, chain3.pem, ...)
I've just removed the files and replaced them by symlinks:
of course, replace the "3" by the number matching your situation (the biggest one in the archive directory)
and it works. I've renewed the certificates successfully from the user interface.
I hope it will help.
@maurommx commented on GitHub (Dec 16, 2024):
I use nginx proxy manager and now it simply does not update the certificates in any way. I would like to know what the problem is, where exactly do I see the error occurring 500 internal error, I want to know what internal error this is, what is the real error message, where can I find it? I cannot renew this certificate manually in some way, I need to renew the certificate and I do not know how to solve it, apparently there are millions of people looking for a solution to the problem and cannot solve it...., in my case both port 80 and 443 are being redirected. Normally I have some hosts running on 80 and others on 443 and others with an expired certificate and I need to renew some solution?, is the problem in letsencrypt or in nginx proxy manager?
@D3B453R commented on GitHub (Dec 17, 2024):
Hey, you can check the logs of the Docker container with "docker logs %container%" replace %container% with your npm-container-name i.e. npm-app-1.
Now you should see why it's failing to renew your certs.
@bsouthga commented on GitHub (Dec 29, 2024):
In my case (using namecheap), I needed to re-whitelist my ip for api access (for the DNS challenge)
@tl87 commented on GitHub (Jan 2, 2025):
This fixed it for me, but the number 3 was 9 in my case.
@github-actions[bot] commented on GitHub (Jul 22, 2025):
Issue is now considered stale. If you want to keep it open, please comment 👍
@EDIflyer commented on GitHub (Jul 25, 2025):
Still awaiting PR 3121 to be merged in
@Makishima commented on GitHub (Jan 18, 2026):
bump