[GH-ISSUE #747] Internal Error creating SSL #631

New issue

Closed

opened 2026-02-26 06:33:45 +03:00 by kerem · 13 comments

kerem commented 2026-02-26 06:33:45 +03:00

Owner

Copy link

Originally created by @magicman32 on GitHub (Nov 30, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/747

Checklist

• Please read the setup instructions
• Please read the FAQ

When creating a proxy host, I get an internal error and ssl is not created, new to docker, learning as I go

This pic is when I try to create host proxy with ssl.............

This pic is when I try to create ssl on its own without creating a host proxy...............

Some of the text is cut out....here is full log......
Error: Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-12" --agree-tos --email "magicman32.craig@gmail.com" --preferred-challenges "dns,http" --domains "books.beastunraid.me"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for books.beastunraid.me
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain books.beastunraid.me
http-01 challenge for books.beastunraid.me
Cleaning up challenges
Some challenges have failed.

at ChildProcess.exithandler (child_process.js:308:12)
at ChildProcess.emit (events.js:314:20)
at maybeClose (internal/child_process.js:1051:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

Originally created by @magicman32 on GitHub (Nov 30, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/747 **Checklist** - Please read the [setup instructions](https://nginxproxymanager.com/setup/) - Please read the [FAQ](https://nginxproxymanager.com/faq/) **When creating a proxy host, I get an internal error and ssl is not created, new to docker, learning as I go** This pic is when I try to create host proxy with ssl.............  This pic is when I try to create ssl on its own without creating a host proxy...............  Some of the text is cut out....here is full log...... Error: Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-12" --agree-tos --email "magicman32.craig@gmail.com" --preferred-challenges "dns,http" --domains "books.beastunraid.me" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for books.beastunraid.me Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains. Waiting for verification... Challenge failed for domain books.beastunraid.me http-01 challenge for books.beastunraid.me Cleaning up challenges Some challenges have failed. at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1051:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

kerem 2026-02-26 06:33:45 +03:00

• closed this issue
• added the
  product-support
  label

kerem commented 2026-02-26 06:33:45 +03:00

Author

Owner

Copy link

@magicman32 commented on GitHub (Dec 15, 2020):

anyone??

<!-- gh-comment-id:745169983 --> @magicman32 commented on GitHub (Dec 15, 2020): anyone??

kerem commented 2026-02-26 06:33:45 +03:00

Author

Owner

Copy link

@rmensing commented on GitHub (Dec 15, 2020):

As far as I am aware you must select "Use a DNS challenge" otherwise CertBot tries to use the HTTP-01 challenge which would require NPM to have access to the webroot of the server you are trying to get a cert for and I'm willing to bet that it does not have that access.

Switch on "Use a DNS challenge" then select your DNS provider, if it is on the list, then it will probably need and API token that you will get from your DNS provider. If your DNS provider is not on the list then you may need to switch to one that is. Cloudflare and probably others have free accounts available.

<!-- gh-comment-id:745612288 --> @rmensing commented on GitHub (Dec 15, 2020): As far as I am aware you must select "Use a DNS challenge" otherwise CertBot tries to use the HTTP-01 challenge which would require NPM to have access to the webroot of the server you are trying to get a cert for and I'm willing to bet that it does not have that access. Switch on "Use a DNS challenge" then select your DNS provider, if it is on the list, then it will probably need and API token that you will get from your DNS provider. If your DNS provider is not on the list then you may need to switch to one that is. Cloudflare and probably others have free accounts available.

kerem commented 2026-02-26 06:33:45 +03:00

Author

Owner

Copy link

@magicman32 commented on GitHub (Dec 16, 2020):

Im with cloudflare, am I putting in my global api key? sorry noob at this stuff
or do I need to create an api token?

<!-- gh-comment-id:745864657 --> @magicman32 commented on GitHub (Dec 16, 2020):  Im with cloudflare, am I putting in my global api key? sorry noob at this stuff or do I need to create an api token?

kerem commented 2026-02-26 06:33:45 +03:00

Author

Owner

Copy link

@rmensing commented on GitHub (Dec 16, 2020):

You will need to create an API token. Use the "edit zone DNS" template. Make note of the created token as once you close it you will not be able to view the token again.

The global API key no longer works for this. Funny thing is that this is why I was here and saw your post. I was using the global key in some of mine and was getting a similar error when trying to renew. Switching to a created token resolved my issue.

<!-- gh-comment-id:746234916 --> @rmensing commented on GitHub (Dec 16, 2020): You will need to create an API token. Use the "edit zone DNS" template. Make note of the created token as once you close it you will not be able to view the token again. The global API key no longer works for this. Funny thing is that this is why I was here and saw your post. I was using the global key in some of mine and was getting a similar error when trying to renew. Switching to a created token resolved my issue.

kerem commented 2026-02-26 06:33:45 +03:00

Author

Owner

Copy link

@magicman32 commented on GitHub (Dec 17, 2020):

Ok got my edit zone dns api token
What do I need to put in Credentials File content section, im not sure what to add or replace or change there?

<!-- gh-comment-id:747289688 --> @magicman32 commented on GitHub (Dec 17, 2020): Ok got my edit zone dns api token What do I need to put in Credentials File content section, im not sure what to add or replace or change there?

kerem commented 2026-02-26 06:33:46 +03:00

Author

Owner

Copy link

@chris1668 commented on GitHub (Dec 19, 2020):

I just tried to use Cloudflare DNS Challenge and it seems the Docker Image from JLesage does not have the Cloudflare-DNS module installed, so after running pip3 install certbot-dns-cloudflare==1.8.0
matching the version from the internal error message has now lead me to this Command Failed Error with no obvious reason standing out to me.
`Error: Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-15" --agree-tos --email "" --domains "*.example.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-15"
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1315, in main
log.pre_arg_parse_setup()
File "/usr/lib/python3.8/site-packages/certbot/_internal/log.py", line 55, in pre_arg_parse_setup
temp_handler = TempHandler()
File "/usr/lib/python3.8/site-packages/certbot/_internal/log.py", line 243, in init
stream = util.safe_open(self.path, mode='w', chmod=0o600)
File "/usr/lib/python3.8/site-packages/certbot/util.py", line 197, in safe_open
fd = filesystem.open(path, os.O_CREAT | os.O_EXCL | os.O_RDWR, *open_args)
File "/usr/lib/python3.8/site-packages/certbot/compat/filesystem.py", line 149, in open
return os.open(file_path, flags, mode)
PermissionError: [Errno 13] Permission denied: '/tmp/tmpyp2bcu3c/log'

at ChildProcess.exithandler (child_process.js:303:12)
at ChildProcess.emit (events.js:315:20)
at maybeClose (internal/child_process.js:1021:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)`

<!-- gh-comment-id:748427583 --> @chris1668 commented on GitHub (Dec 19, 2020): I just tried to use Cloudflare DNS Challenge and it seems the Docker Image from JLesage does not have the Cloudflare-DNS module installed, so after running `pip3 install certbot-dns-cloudflare==1.8.0` matching the version from the internal error message has now lead me to this Command Failed Error with no obvious reason standing out to me. `Error: Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-15" --agree-tos --email "" --domains "*.example.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-15" Traceback (most recent call last): File "/usr/bin/certbot", line 11, in load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')() File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main return internal_main.main(cli_args) File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1315, in main log.pre_arg_parse_setup() File "/usr/lib/python3.8/site-packages/certbot/_internal/log.py", line 55, in pre_arg_parse_setup temp_handler = TempHandler() File "/usr/lib/python3.8/site-packages/certbot/_internal/log.py", line 243, in __init__ stream = util.safe_open(self.path, mode='w', chmod=0o600) File "/usr/lib/python3.8/site-packages/certbot/util.py", line 197, in safe_open fd = filesystem.open(path, os.O_CREAT | os.O_EXCL | os.O_RDWR, *open_args) File "/usr/lib/python3.8/site-packages/certbot/compat/filesystem.py", line 149, in open return os.open(file_path, flags, mode) PermissionError: [Errno 13] Permission denied: '/tmp/tmpyp2bcu3c/log' at ChildProcess.exithandler (child_process.js:303:12) at ChildProcess.emit (events.js:315:20) at maybeClose (internal/child_process.js:1021:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)` 

kerem commented 2026-02-26 06:33:46 +03:00

Author

Owner

Copy link

@magicman32 commented on GitHub (Dec 19, 2020):

You will need to create an API token. Use the "edit zone DNS" template. Make note of the created token as once you close it you will not be able to view the token again.

The global API key no longer works for this. Funny thing is that this is why I was here and saw your post. I was using the global key in some of mine and was getting a similar error when trying to renew. Switching to a created token resolved my issue.

Did that, what next?
Ok got my edit zone dns api token
What do I need to put in Credentials File content section, im not sure what to add or replace or change there?

<!-- gh-comment-id:748441261 --> @magicman32 commented on GitHub (Dec 19, 2020): > You will need to create an API token. Use the "edit zone DNS" template. Make note of the created token as once you close it you will not be able to view the token again. > > The global API key no longer works for this. Funny thing is that this is why I was here and saw your post. I was using the global key in some of mine and was getting a similar error when trying to renew. Switching to a created token resolved my issue. Did that, what next? Ok got my edit zone dns api token What do I need to put in Credentials File content section, im not sure what to add or replace or change there?

kerem commented 2026-02-26 06:33:46 +03:00

Author

Owner

Copy link

@magicman32 commented on GitHub (Dec 22, 2020):

@rmensing

<!-- gh-comment-id:749401105 --> @magicman32 commented on GitHub (Dec 22, 2020): @rmensing

kerem commented 2026-02-26 06:33:46 +03:00

Author

Owner

Copy link

@rmensing commented on GitHub (Dec 22, 2020):

Sorry for the delay @magicman32 .
Just replace everything after the = sign with the API token. Leave the propagation seconds box empty, the default works fine. Click the I Agree switch and then click save. It should pull a cert without error. I had the NPM log open in a second window so I could watch what it was doing live. I use Portainer which makes watching the log easier.

<!-- gh-comment-id:749804689 --> @rmensing commented on GitHub (Dec 22, 2020): Sorry for the delay @magicman32 . Just replace everything after the = sign with the API token. Leave the **propagation seconds** box empty, the default works fine. Click the **I Agree** switch and then click **save**. It should pull a cert without error. I had the NPM log open in a second window so I could watch what it was doing live. I use Portainer which makes watching the log easier.

kerem commented 2026-02-26 06:33:46 +03:00

Author

Owner

Copy link

@rmensing commented on GitHub (Dec 22, 2020):

@chris1668
My first suggestion would be to try using the official Docker container jc21/nginx-proxy-manager because it is already setup to run certbot as well as being more current than the other. The official container right now was updated 8 days ago and the one you are using is a month old.

I am not a dev on this, just another user like you :) but, to me, it looks like there is a problem with permissions in the container so the app is unable to write to a file it needs. This is why I suggest trying the official container.

<!-- gh-comment-id:749809362 --> @rmensing commented on GitHub (Dec 22, 2020): @chris1668 My first suggestion would be to try using the official Docker container [jc21/nginx-proxy-manager](https://hub.docker.com/r/jc21/nginx-proxy-manager) because it is already setup to run certbot as well as being more current than the other. The official container right now was updated 8 days ago and the one you are using is a month old. I am not a dev on this, just another user like you :) but, to me, it looks like there is a problem with permissions in the container so the app is unable to write to a file it needs. This is why I suggest trying the official container.

kerem commented 2026-02-26 06:33:46 +03:00

Author

Owner

Copy link

@magicman32 commented on GitHub (Dec 23, 2020):

Ok, so I was able to create an ssl, but when I goto host address, I get welcome to our sever, confused, not sure if I have missed something

<!-- gh-comment-id:749914872 --> @magicman32 commented on GitHub (Dec 23, 2020): Ok, so I was able to create an ssl, but when I goto host address, I get welcome to our sever, confused, not sure if I have missed something

kerem commented 2026-02-26 06:33:46 +03:00

Author

Owner

Copy link

@magicman32 commented on GitHub (Dec 28, 2020):

@rmensing

<!-- gh-comment-id:751591654 --> @magicman32 commented on GitHub (Dec 28, 2020): @rmensing

kerem commented 2026-02-26 06:33:46 +03:00

Author

Owner

Copy link

@rmensing commented on GitHub (Dec 28, 2020):

Not certain but it sounds like you are ending up on the non-ssl (HTTP) page. You should be able to tell by if it has the lock icon before the URL in the address bar.

Why it is doing this is dependent on the server you are proxying and its configuration and possibly other factors.

As a basic example:
I have servers that only server content un-secure on port 80 or some other port so I set the Forward Hostname/IP and Forward Port to those.

I have some that only serve content on a secure port (443) already so I use that port on the Forward Port On some of these I have had the server show the default web server welcome page on port 80 and the actual content on port 443. This is what it seems like it could be to me.

<!-- gh-comment-id:751805180 --> @rmensing commented on GitHub (Dec 28, 2020): Not certain but it sounds like you are ending up on the non-ssl (HTTP) page. You should be able to tell by if it has the lock icon before the URL in the address bar. Why it is doing this is dependent on the server you are proxying and its configuration and possibly other factors. As a basic example: I have servers that only server content un-secure on port 80 or some other port so I set the **Forward Hostname/IP** and **Forward Port** to those. I have some that only serve content on a secure port (443) already so I use that port on the **Forward Port** On some of these I have had the server show the default web server welcome page on port 80 and the actual content on port 443. This is what it seems like it could be to me.

kerem referenced this issue 2026-02-26 06:34:13 +03:00

[GH-ISSUE #877] Make Web interface content (JS, CSS) use relative paths #742

kerem referenced this issue 2026-02-26 06:34:14 +03:00

[GH-ISSUE #877] Make Web interface content (JS, CSS) use relative paths #742

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#631

No description provided.