starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 17:35:52 +03:00

[GH-ISSUE #580] Unable to renew Let's Encrypt certificates #487

New issue

Closed

opened 2026-02-26 06:33:04 +03:00 by kerem · 1 comment

kerem commented

2026-02-26 06:33:04 +03:00

Owner

Originally created by @Cilusse on GitHub (Aug 25, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/580

Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image? Yes
Are you sure you're not using someone else's docker image? Yes
If having problems with Lets Encrypt, have you made absolutely sure your site is accessible from outside of your network? Yes

Describe the bug

I am unable to renew a Let's Encrypt certificate, this is not the first time. Last time the issue happened I completely reinstalled the container with a new config. Creating this certificates worked well, but now I can't renew it, and I'm decided to help getting this issue resolved.
What version of Nginx Proxy Manager is reported on the login page? 2.3.1

To Reproduce

Open and log in to Nginx Proxy Manager
SSL Certificates > office.mydomain.com > Renew
The first time after a container restart, it tries for a while and then says 'timeout'
Trying a second time will instantly show 'Internal error'

Expected behavior
Certificate gets renewed

Console output
(First line is the first try to renew, second and third lines are the second try)
8/25/2020] [8:47:20 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #1: office.mydomain.com [8/25/2020] [8:47:58 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #1: office.mydomain.com [8/25/2020] [8:47:59 PM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-1" --preferred-challenges "dns,http" --disable-hook-validation

After a while, the first renewal process fails too and this is printed to the console
Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Failed authorization procedure. office.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://mydomain.com [IPv6]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)

Operating System

Unraid OS 6.8.3

Additional context

When the process fails (second console paste), it says Invalid response from https://mydomain.com, shouldn't that be https://office.mydomain.com instead ? Also the [IPv6] address shown is the one of mydomain.com and not office.mydomain.com, it looks like the process is trying to renew a different domain.
EDIT: I managed to renew all my other certificates, some of them even CNAMEs back to the same office.mydomain.com subdomain, proving that the DNS and ports are correctly opened and configured. Just that one subdomain doesn't want to get renewed (and it is due for renewal because I received an notification email from certbot)

Originally created by @Cilusse on GitHub (Aug 25, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/580 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? **Yes** - Are you sure you're not using someone else's docker image? **Yes** - If having problems with Lets Encrypt, have you made absolutely sure your site is accessible from outside of your network? **Yes** **Describe the bug** - I am unable to renew a Let's Encrypt certificate, this is not the first time. Last time the issue happened I completely reinstalled the container with a new config. Creating this certificates worked well, but now I can't renew it, and I'm decided to help getting this issue resolved. - What version of Nginx Proxy Manager is reported on the login page? **2.3.1** **To Reproduce** 1. Open and log in to Nginx Proxy Manager 2. SSL Certificates > `office.mydomain.com` > Renew 3. The first time after a container restart, it tries for a while and then says 'timeout' 4. Trying a second time will instantly show 'Internal error' **Expected behavior** Certificate gets renewed **Console output** (First line is the first try to renew, second and third lines are the second try) `8/25/2020] [8:47:20 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #1: office.mydomain.com [8/25/2020] [8:47:58 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #1: office.mydomain.com [8/25/2020] [8:47:59 PM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-1" --preferred-challenges "dns,http" --disable-hook-validation` After a while, the first renewal process fails too and this is printed to the console `Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Failed authorization procedure. office.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://mydomain.com [IPv6]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)` **Operating System** - Unraid OS 6.8.3 **Additional context** - When the process fails (second console paste), it says `Invalid response from https://mydomain.com`, shouldn't that be `https://office.mydomain.com` instead ? Also the [IPv6] address shown is the one of `mydomain.com` and not `office.mydomain.com`, it looks like the process is trying to renew a different domain. - EDIT: I managed to renew all my other certificates, some of them even CNAMEs back to the same `office.mydomain.com` subdomain, proving that the DNS and ports are correctly opened and configured. Just that one subdomain doesn't want to get renewed (and it is due for renewal because I received an notification email from certbot)

kerem

2026-02-26 06:33:04 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-26 06:33:04 +03:00

Author

Owner

@Cilusse commented on GitHub (Aug 25, 2020):

SOLUTION

Apparently, it is impossible to renew a certificate for a domain that doesn't have a proxy host currently active.
I added a proxy host for that domain, pointing to a random server in my network, and it worked.
Certbot was probably confused because Nginx Proxy Manager is configured in Settings > Default Site, to redirect any request that doesn't have a proxy host to mydomain.com.
Probably a technically correct behaviour, but unexpected to me nonetheless.

I hope this auto-resolution can possibly help others in the same situation.

@Cilusse commented on GitHub (Aug 25, 2020): **SOLUTION** Apparently, it is impossible to renew a certificate for a domain that doesn't have a proxy host currently active. I added a proxy host for that domain, pointing to a random server in my network, and it worked. Certbot was probably confused because Nginx Proxy Manager is configured in Settings > Default Site, to redirect any request that doesn't have a proxy host to `mydomain.com`. Probably a technically correct behaviour, but unexpected to me nonetheless. I hope this auto-resolution can possibly help others in the same situation.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#487

No description provided.

Rows
Columns