[GH-ISSUE #51] Not passing letsencrypt requests through proxy_host #47

New issue

Closed

opened 2026-02-26 05:33:50 +03:00 by kerem · 6 comments

kerem commented 2026-02-26 05:33:50 +03:00

Owner

Copy link

Originally created by @xorinzor on GitHub (Jan 12, 2019).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/51

From my own testing it seems that the /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf rules prevents access to the letsencrypt tokens/acme-challenges of any hosts configured as proxy_host.

This is probably because it's trying to access it's own letsencrypt challenges, which ofcourse isn't going to work.

If this isn't something that can be fixed to be allowed for proxy_hosts, can it be disabled in the meanwhile?
It will currently prevent my services of renewing it's certificate when the Nginx-proxy-manager docker container is going to update (and I forget to "fix"/disable the letsencrypt rules).

Alternatively, a way of making these config files persistent would be great too.

EDIT: I just noticed that doing this prevents the proxy-manager from updating it's letsencrypt certificates..

Originally created by @xorinzor on GitHub (Jan 12, 2019). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/51 From my own testing it seems that the /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf rules prevents access to the letsencrypt tokens/acme-challenges of any hosts configured as proxy_host. This is probably because it's trying to access it's own letsencrypt challenges, which ofcourse isn't going to work. If this isn't something that can be fixed to be allowed for proxy_hosts, can it be disabled in the meanwhile? It will currently prevent my services of renewing it's certificate when the Nginx-proxy-manager docker container is going to update (and I forget to "fix"/disable the letsencrypt rules). Alternatively, a way of making these config files persistent would be great too. **EDIT:** I just noticed that doing this prevents the proxy-manager from updating it's letsencrypt certificates..

kerem closed this issue 2026-02-26 05:33:51 +03:00

kerem commented 2026-02-26 05:33:51 +03:00

Author

Owner

Copy link

@xorinzor commented on GitHub (Jan 12, 2019):

I've been trying to adjust the config file myself, to check if the requested file exists locally before using proxy_pass. But for some reason I can't properly test it because it will always return a 404 on a file that I put in the /config/letsencrypt-acme-challenge directory. Even with the default config file source.

Double checked the permissions too. Almost feel like there's something else going on whenever the nginx-manager updates the certificate.

Would very much appreciate it if you could realize this.

<!-- gh-comment-id:453781911 --> @xorinzor commented on GitHub (Jan 12, 2019): I've been trying to adjust the config file myself, to check if the requested file exists locally before using proxy_pass. But for some reason I can't properly test it because it will always return a 404 on a file that I put in the /config/letsencrypt-acme-challenge directory. Even with the default config file source. Double checked the permissions too. Almost feel like there's something else going on whenever the nginx-manager updates the certificate. Would very much appreciate it if you could realize this.

kerem commented 2026-02-26 05:33:51 +03:00

Author

Owner

Copy link

@jc21 commented on GitHub (Jan 14, 2019):

The project was not designed for people who want 2 or more letsencrypt services on their network.

We need to capture all acme requests because there may be hosts in the project that are disabled or deleted, but their Certificates still exist and get automatically renewed.

I don't know the reasons for you to want multiple SSL terminated services on the same IP but this project might not be for you if that is a requirement.

<!-- gh-comment-id:453903425 --> @jc21 commented on GitHub (Jan 14, 2019): The project was not designed for people who want 2 or more letsencrypt services on their network. We need to capture all acme requests because there may be hosts in the project that are disabled or deleted, but their Certificates still exist and get automatically renewed. I don't know the reasons for you to want multiple SSL terminated services on the same IP but this project might not be for you if that is a requirement.

kerem commented 2026-02-26 05:33:52 +03:00

Author

Owner

Copy link

@xorinzor commented on GitHub (Jan 27, 2019):

The reason I want multiple SSL is because the proxy manager only uses SSL to be able to proxy https requests too.

However, the services that run behind the web interface will still need their own certificates renewed to be properly used (ie: poste.io mailserver) on different ports that also use SSL encryption.

IMO hosts that are disabled or deleted shouldn't be managed by the proxy manager, active hosts should take priority, and the requests should be passed on if they aren't meant for the proxy manager.

I need the proxy manager because I need the reverse-proxy in order to be able to run multiple services behind the same port 80 / 443.

<!-- gh-comment-id:457951475 --> @xorinzor commented on GitHub (Jan 27, 2019): The reason I want multiple SSL is because the proxy manager only uses SSL to be able to proxy https requests too. However, the services that run behind the web interface will still need their own certificates renewed to be properly used (ie: poste.io mailserver) on different ports that also use SSL encryption. IMO hosts that are disabled or deleted shouldn't be managed by the proxy manager, active hosts should take priority, and the requests should be passed on if they aren't meant for the proxy manager. I need the proxy manager because I need the reverse-proxy in order to be able to run multiple services behind the same port 80 / 443.

kerem commented 2026-02-26 05:33:52 +03:00

Author

Owner

Copy link

@xorinzor commented on GitHub (Feb 5, 2019):

For the moment I fixed this for me by configuring it to HTTP only, given that I block pretty much everything except letsencrypt for this particular service at this moment.

I still stand by my previous point though.

<!-- gh-comment-id:460754790 --> @xorinzor commented on GitHub (Feb 5, 2019): For the moment I fixed this for me by configuring it to HTTP only, given that I block pretty much everything except letsencrypt for this particular service at this moment. I still stand by my previous point though.

kerem commented 2026-02-26 05:33:52 +03:00

Author

Owner

Copy link

@jc21 commented on GitHub (Feb 6, 2019):

IMO hosts that are disabled or deleted shouldn't be managed by the proxy manager, active hosts should take priority, and the requests should be passed on if they aren't meant for the proxy manager.

Passed on to what? If your domain points to the IP of the machine that is running this project, you can't pick and choose which TCP connections go where, that's why there's a HTTP layer. So, if you delete a host, but it still points to 80/443 running this project, it will say "oh you want example.com? I can't give you that" so it gives you the "Congratulations" page as a default, because we don't know where to send the request since you deleted the configuration for it.

I still stand by my previous point, this project may not be for you. You want a specific implementation and you're the only one wanting it.

<!-- gh-comment-id:460870306 --> @jc21 commented on GitHub (Feb 6, 2019): > IMO hosts that are disabled or deleted shouldn't be managed by the proxy manager, active hosts should take priority, and the requests should be passed on if they aren't meant for the proxy manager. Passed on to what? If your domain points to the IP of the machine that is running this project, you can't pick and choose which TCP connections go where, that's why there's a HTTP layer. So, if you delete a host, but it still points to 80/443 running this project, it will say "oh you want example.com? I can't give you that" so it gives you the "Congratulations" page as a default, because we don't know where to send the request since you deleted the configuration for it. I still stand by my previous point, this project may not be for you. You want a specific implementation and you're the only one wanting it.

kerem commented 2026-02-26 05:33:52 +03:00

Author

Owner

Copy link

@vibratim commented on GitHub (Jan 14, 2020):

I am trying exactly the same atm. My poste.io mailserver needs to create its own certificate via Let's Encrypt (which kind of worked with a custom location for the mailserver entry) and if this works the http/s would not get through.
Option 2 is giving the poste.io container the certificate files, but i am not sure where to find them etc.

<!-- gh-comment-id:574161974 --> @vibratim commented on GitHub (Jan 14, 2020): I am trying exactly the same atm. My poste.io mailserver needs to create its own certificate via Let's Encrypt (which kind of worked with a custom location for the mailserver entry) and if this works the http/s would not get through. Option 2 is giving the poste.io container the certificate files, but i am not sure where to find them etc.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#47

No description provided.