starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #881] Cannot generate SSL certificate #745

New issue
Closed
opened 2026-02-26 06:34:14 +03:00 by kerem · 14 comments
kerem commented 2026-02-26 06:34:14 +03:00
Owner
Copy link

Originally created by @stefanorossiti on GitHub (Feb 9, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/881

I managed to configure NPM as a reverse proxy for 2 internal services, but i don't know why i cant generate the certificate. It gives no real error i could work with...

image

I'am using the DNS from namecheap that is not in the list, is it necessary to get a certificate?

Originally created by @stefanorossiti on GitHub (Feb 9, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/881 I managed to configure NPM as a reverse proxy for 2 internal services, but i don't know why i cant generate the certificate. It gives no real error i could work with... ![image](https://user-images.githubusercontent.com/25284995/107343021-3415ac00-6ac1-11eb-9939-439f9ce3c955.png) I'am using the DNS from namecheap that is not in the list, is it necessary to get a certificate?
kerem 2026-02-26 06:34:14 +03:00
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@henkisdabro commented on GitHub (Feb 11, 2021):

I've also started getting the Internal Error messages when creating new Proxy Hosts. I'm using Cloudflare and follow the same procedure as always when issuing. It might be related to the new 2.8.0 version as I did not have the issues before that.

I tried reverting to 2.7.3 but now experience the same error on this version too. I also tried removing the XX.conf files associated with old entries, but it seems something old is trailing too (database seems empty when checking with adminer?)

<!-- gh-comment-id:777171349 --> @henkisdabro commented on GitHub (Feb 11, 2021): I've also started getting the Internal Error messages when creating new Proxy Hosts. I'm using Cloudflare and follow the same procedure as always when issuing. It might be related to the new 2.8.0 version as I did not have the issues before that. I tried reverting to 2.7.3 but now experience the same error on this version too. I also tried removing the XX.conf files associated with old entries, but it seems something old is trailing too (database seems empty when checking with adminer?)
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@Ducatel commented on GitHub (Feb 11, 2021):

Same issue for me with the 2.8.0 or 2.7.3 version in SQLite mode running into docker container.
I have error when create a new cert or in renewal.

I have this king of log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxx.eu
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain xxxx.eu
http-01 challenge for xxxx.eu
Cleaning up challenges
Some challenges have failed.
<!-- gh-comment-id:777789593 --> @Ducatel commented on GitHub (Feb 11, 2021): Same issue for me with the 2.8.0 or 2.7.3 version in SQLite mode running into docker container. I have error when create a new cert or in renewal. I have this king of log: ```› ⚠ warning Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-1" --agree-tos --email "yyy@xxxx.eu --preferred-challenges "dns,http" --domains "xxxx.eu" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for xxxx.eu Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains. Waiting for verification... Challenge failed for domain xxxx.eu http-01 challenge for xxxx.eu Cleaning up challenges Some challenges have failed. ```
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@henkisdabro commented on GitHub (Feb 13, 2021):

Update from my end – it seems to be automatically resolved. I went back to use the :latest image (2.8.0) and booted up NPM and now it seems all is working again. Issuing certs and attaching existing SSL certs to new hosts all seem to work. The issues I had removing proxy hosts is also gone. Phew. Hope it works for you guys too/

<!-- gh-comment-id:778567692 --> @henkisdabro commented on GitHub (Feb 13, 2021): Update from my end – it seems to be automatically resolved. I went back to use the :latest image (2.8.0) and booted up NPM and now it seems all is working again. Issuing certs and attaching existing SSL certs to new hosts all seem to work. The issues I had removing proxy hosts is also gone. Phew. Hope it works for you guys too/
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@Ducatel commented on GitHub (Feb 13, 2021):

Same for me, yesterday I tryed to renew all my certificates and all was done with success...

<!-- gh-comment-id:778588388 --> @Ducatel commented on GitHub (Feb 13, 2021): Same for me, yesterday I tryed to renew all my certificates and all was done with success...
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@talondnb commented on GitHub (Feb 15, 2021):

I'm not having much luck:

Error: Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-5" --agree-tos --email "xxxxx@xxxx.com" --preferred-challenges "dns,http" --domains "xxxx.org" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
An unexpected error occurred:
OSError: [Errno 95] Not supported: '../../archive/npm-5/cert1.pem' -> '/etc/letsencrypt/live/npm-5/cert.pem'
Please see the logfiles in /var/log/letsencrypt for more details.

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1051:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

and log shows:

2021-02-15 09:13:34,388:DEBUG:acme.client:Storing nonce: 0104_bjSxVzICRApFzrqN44NJ8AeBZA8zCYedY177UJn5bs
2021-02-15 09:13:34,415:DEBUG:certbot._internal.storage:Archive directory /etc/letsencrypt/archive/npm-5 and live directory /etc/letsencrypt/live/npm-5 created.
2021-02-15 09:13:34,419:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 423, in obtain_and_enroll_certificate
    return storage.RenewableCert.new_lineage(
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 1027, in new_lineage
    os.symlink(_relpath_from_file(archive_target[kind], target[kind]), target[kind])
OSError: [Errno 95] Not supported: '../../archive/npm-5/cert1.pem' -> '/etc/letsencrypt/live/npm-5/cert.pem'
2021-02-15 09:13:34,424:ERROR:certbot._internal.log:An unexpected error occurred:
[root@docker-1fb5b1cfcddd:/app]#

Any ideas?

edit: more logs at startup of container:

2/15/2021] [9:44:45 AM] [SSL      ] › ✖  error     Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 445, in __init__
    raise errors.CertStorageError(
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/npm-3-0001.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 445, in __init__
    raise errors.CertStorageError(
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-5/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf is broken. Skipping.
0 renew failure(s), 6 parse failure(s)

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1051:16)
    at Socket.<anonymous> (internal/child_process.js:442:11)
    at Socket.emit (events.js:314:20)
    at Pipe.<anonymous> (net.js:673:12)
<!-- gh-comment-id:779079578 --> @talondnb commented on GitHub (Feb 15, 2021): I'm not having much luck: ``` Error: Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-5" --agree-tos --email "xxxxx@xxxx.com" --preferred-challenges "dns,http" --domains "xxxx.org" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate An unexpected error occurred: OSError: [Errno 95] Not supported: '../../archive/npm-5/cert1.pem' -> '/etc/letsencrypt/live/npm-5/cert.pem' Please see the logfiles in /var/log/letsencrypt for more details. at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1051:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5) ``` and log shows: ``` 2021-02-15 09:13:34,388:DEBUG:acme.client:Storing nonce: 0104_bjSxVzICRApFzrqN44NJ8AeBZA8zCYedY177UJn5bs 2021-02-15 09:13:34,415:DEBUG:certbot._internal.storage:Archive directory /etc/letsencrypt/archive/npm-5 and live directory /etc/letsencrypt/live/npm-5 created. 2021-02-15 09:13:34,419:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 11, in <module> load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')() File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main return internal_main.main(cli_args) File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1347, in main return config.func(config, plugins) File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1233, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 423, in obtain_and_enroll_certificate return storage.RenewableCert.new_lineage( File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 1027, in new_lineage os.symlink(_relpath_from_file(archive_target[kind], target[kind]), target[kind]) OSError: [Errno 95] Not supported: '../../archive/npm-5/cert1.pem' -> '/etc/letsencrypt/live/npm-5/cert.pem' 2021-02-15 09:13:34,424:ERROR:certbot._internal.log:An unexpected error occurred: [root@docker-1fb5b1cfcddd:/app]# ``` Any ideas? edit: more logs at startup of container: ``` 2/15/2021] [9:44:45 AM] [SSL ] › ✖ error Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__ self._check_symlinks() File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks raise errors.CertStorageError( certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken. Skipping. Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__ self._check_symlinks() File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks raise errors.CertStorageError( certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken. Skipping. Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 445, in __init__ raise errors.CertStorageError( certbot.errors.CertStorageError: renewal config file {} is missing a required file reference Renewal configuration file /etc/letsencrypt/renewal/npm-3-0001.conf is broken. Skipping. Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__ self._check_symlinks() File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks raise errors.CertStorageError( certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken. Skipping. Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 445, in __init__ raise errors.CertStorageError( certbot.errors.CertStorageError: renewal config file {} is missing a required file reference Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf is broken. Skipping. Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__ self._check_symlinks() File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks raise errors.CertStorageError( certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-5/cert.pem to be a symlink Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf is broken. Skipping. 0 renew failure(s), 6 parse failure(s) at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1051:16) at Socket.<anonymous> (internal/child_process.js:442:11) at Socket.emit (events.js:314:20) at Pipe.<anonymous> (net.js:673:12) ```
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@ragaimeena commented on GitHub (Feb 15, 2021):

I am having the same issue. I can't even get to the HTTP request at all. I uninstalled and reinstalled many time:
addon on HASSIO
duckdns for the DNS service and subdomain
I get the same internal error please help

<!-- gh-comment-id:779366169 --> @ragaimeena commented on GitHub (Feb 15, 2021): I am having the same issue. I can't even get to the HTTP request at all. I uninstalled and reinstalled many time: addon on HASSIO duckdns for the DNS service and subdomain I get the same internal error please help
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@talondnb commented on GitHub (Feb 20, 2021):

Bump? I've temporarily moved to the addon in home assistant which seems to be working fine for me (but now I'm at my limit for renews, so i have to wait a week).

<!-- gh-comment-id:782602508 --> @talondnb commented on GitHub (Feb 20, 2021): Bump? I've temporarily moved to the addon in home assistant which seems to be working fine for me (but now I'm at my limit for renews, so i have to wait a week).
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@koshia commented on GitHub (Feb 27, 2021):

I'm having the same issue, kept thinking it's me and how i'm registering via Cloudflare but i'm thinking something' up with Cloudflare.

I'm on Unraid with docker version:
v1.13.0 (2021-02-09)

  • Updated Nginx Proxy Manager to version 2.8.0.
  • Updated OpenResty to version 1.19.3.1.
  • Replaced the depricated GeoIP module by GeoIP2.

Namecheap is where i have my DNS hosted and use Cloudflare to proxy. CF uses the zone edit API now instead of global api to do the acme-challenge. The last time I did this, it was with the global api and worked fine. Made sure this time around after I figured it out to use the Zone API.

We can see the acme-challenge with the TXT records being temporarily created and then removed but for some reason, it still failed.


2021-02-26 21:23:30,029:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11175401054 HTTP/1.1" 200 381
2021-02-26 21:23:30,030:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 27 Feb 2021 03:23:30 GMT
Content-Type: application/json
Content-Length: 381
Connection: keep-alive
Boulder-Requester: 114015465
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0103QOg-_3hneOVhuDybUkd2UJJY_HofwLC1s4feWy6zioA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "domain.tld"
  },
  "status": "pending",
  "expires": "2021-03-06T03:23:29Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw",
      "token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZz"
    }
  ],
  "wildcard": true
}
2021-02-26 21:23:30,030:DEBUG:acme.client:Storing nonce: 0103QOg-_3hneOVhuDybUkd2UJJY_HofwLC1s4feWy6zioA
2021-02-26 21:23:30,031:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-02-26 21:23:30,031:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.tld
2021-02-26 21:23:30,040:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2021-02-26 21:23:30,349:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.tld&per_page=1 HTTP/1.1" 200 None
2021-02-26 21:23:30,351:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of a80070038ab3786d13f8e7b7d40bf9bd for domain.tld using name domain.tld
2021-02-26 21:23:30,352:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Attempting to add record to zone a80070038ab3786d13f8e7b7d40bf9bd: {'type': 'TXT', 'name': '_acme-challenge.domain.tld', 'content': '0PGS80GcKuU434KryKNpTSOiKycHdmnJRACiqJ_oRaw', 'ttl': 120}
2021-02-26 21:23:30,498:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "POST /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records HTTP/1.1" 200 None
2021-02-26 21:23:30,647:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records?type=TXT&name=_acme-challenge.domain.tld&content=0PGS80GcKuU434KryKNpTSOiKycHdmnJRACiqJ_oRaw&per_page=1 HTTP/1.1" 200 None
2021-02-26 21:23:30,648:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Successfully added TXT record with record_id: ffe03bc2d9bfcab1df23e6c1a53e53c5
2021-02-26 21:23:30,654:INFO:certbot.plugins.dns_common:Waiting 10 seconds for DNS changes to propagate
2021-02-26 21:23:40,664:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-02-26 21:23:40,665:DEBUG:acme.client:JWS payload:
b'{}'
2021-02-26 21:23:40,670:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw:
{
  "protected": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "signature": "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY",
  "payload": "e30"
}
2021-02-26 21:23:40,758:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/11175401054/6XREOw HTTP/1.1" 200 185
2021-02-26 21:23:40,759:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 27 Feb 2021 03:23:40 GMT
Content-Type: application/json
Content-Length: 185
Connection: keep-alive
Boulder-Requester: 114015465
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/11175401054>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw
Replay-Nonce: 0103xnKvAWqIss_twR_hJmW9cJbjhbs_8uyBKdM9gPeOvB8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw",
  "token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZz"
}
2021-02-26 21:23:40,759:DEBUG:acme.client:Storing nonce: 0103xnKvAWqIss_twR_hJmW9cJbjhbs_8uyBKdM9gPeOvB8
2021-02-26 21:23:41,760:DEBUG:acme.client:JWS payload:
b''
2021-02-26 21:23:41,764:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/11175401054:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE0MDE1NDY1IiwgIm5vbmNlIjogIjAxMDN4bkt2QVdxSXNzX3R3Ul9oSm1XOWNKYmpoYnNfOHV5QktkTTlnUGVPdkI4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTE3NTQwMTA1NCJ9",
  "signature": "QsIm-fkrbOceVUuPUyW6uHj9-Dv6LHHFbcoeeTX1G-QNwHwHfGOxnXkG1iNKpEAN5iTs9Gv_Kwpz3S3z9rxWU9KCwqysY1v6MnEY_Z3r1ITjeNszGvI7IuyhssF_nO5i3i958j0NyTihOzJSz1WJyKPxxREgtQK3b7EC_iEj42yZvXeTEBNVcSEMK2Vn6TrR861oRxFA-9aCRRXEdwMfxlRj7ZCTrgE2kVlGKrpavaKfPkbP_A6cwB2YDNfS1jVkF2MQjKL7SjP5TuF4GgO8WP-6VbCex-HF7_Vuq_CHQudMVcr08VBvZ7OYLBefbl4vPqhmmZt9gD87a09nao2OmQ",
  "payload": ""
}
2021-02-26 21:23:41,836:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11175401054 HTTP/1.1" 200 612
2021-02-26 21:23:41,837:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 27 Feb 2021 03:23:41 GMT
Content-Type: application/json
Content-Length: 612
Connection: keep-alive
Boulder-Requester: 114015465
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0103F7VcPXfmBVWcUVDro1iPn833A1gklzgK-zXDENhTXfc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "domain.tld"
  },
  "status": "invalid",
  "expires": "2021-03-06T03:23:29Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Incorrect TXT record \"gLcdm1_Fu2KVg89N_7tixugRhhTThq6ymzp8k99J-jk\" found at _acme-challenge.domain.tld",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw",
      "token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"
    }
  ],
  "wildcard": true
}
2021-02-26 21:23:41,837:DEBUG:acme.client:Storing nonce: 0103F7VcPXfmBVWcUVDro1iPn833A1gklzgK-zXDENhTXfc
2021-02-26 21:23:41,838:WARNING:certbot._internal.auth_handler:Challenge failed for domain domain.tld
2021-02-26 21:23:41,838:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.tld
2021-02-26 21:23:41,838:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: domain.tld
Type:   unauthorized
Detail: Incorrect TXT record "gLcdm1_Fu2KVg89N_7tixugRhhTThq6ymzp8k99J-jk" found at _acme-challenge.domain.tld

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-02-26 21:23:41,839:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-02-26 21:23:41,839:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-02-26 21:23:41,839:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-02-26 21:23:41,849:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2021-02-26 21:23:42,080:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.tld&per_page=1 HTTP/1.1" 200 None
2021-02-26 21:23:42,083:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of a80070038ab3786d13f8e7b7d40bf9bd for domain.tld using name domain.tld
2021-02-26 21:23:42,227:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records?type=TXT&name=_acme-challenge.domain.tld&content=0PGS80GcKuU434KryKNpTSOiKycHdmnJRACiqJ_oRaw&per_page=1 HTTP/1.1" 200 None
2021-02-26 21:23:42,377:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "DELETE /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records/ffe03bc2d9bfcab1df23e6c1a53e53c5 HTTP/1.1" 200 None
2021-02-26 21:23:42,378:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Successfully deleted TXT record.
2021-02-26 21:23:42,381:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
/config/log/letsencrypt #
<!-- gh-comment-id:786996315 --> @koshia commented on GitHub (Feb 27, 2021): I'm having the same issue, kept thinking it's me and how i'm registering via Cloudflare but i'm thinking something' up with Cloudflare. I'm on Unraid with docker version: v1.13.0 (2021-02-09) - Updated Nginx Proxy Manager to version 2.8.0. - Updated OpenResty to version 1.19.3.1. - Replaced the depricated GeoIP module by GeoIP2. Namecheap is where i have my DNS hosted and use Cloudflare to proxy. CF uses the zone edit API now instead of global api to do the acme-challenge. The last time I did this, it was with the global api and worked fine. Made sure this time around after I figured it out to use the Zone API. We can see the acme-challenge with the TXT records being temporarily created and then removed but for some reason, it still failed. ``` 2021-02-26 21:23:30,029:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11175401054 HTTP/1.1" 200 381 2021-02-26 21:23:30,030:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 27 Feb 2021 03:23:30 GMT Content-Type: application/json Content-Length: 381 Connection: keep-alive Boulder-Requester: 114015465 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0103QOg-_3hneOVhuDybUkd2UJJY_HofwLC1s4feWy6zioA X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "identifier": { "type": "dns", "value": "domain.tld" }, "status": "pending", "expires": "2021-03-06T03:23:29Z", "challenges": [ { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw", "token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZz" } ], "wildcard": true } 2021-02-26 21:23:30,030:DEBUG:acme.client:Storing nonce: 0103QOg-_3hneOVhuDybUkd2UJJY_HofwLC1s4feWy6zioA 2021-02-26 21:23:30,031:INFO:certbot._internal.auth_handler:Performing the following challenges: 2021-02-26 21:23:30,031:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.tld 2021-02-26 21:23:30,040:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443 2021-02-26 21:23:30,349:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.tld&per_page=1 HTTP/1.1" 200 None 2021-02-26 21:23:30,351:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of a80070038ab3786d13f8e7b7d40bf9bd for domain.tld using name domain.tld 2021-02-26 21:23:30,352:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Attempting to add record to zone a80070038ab3786d13f8e7b7d40bf9bd: {'type': 'TXT', 'name': '_acme-challenge.domain.tld', 'content': '0PGS80GcKuU434KryKNpTSOiKycHdmnJRACiqJ_oRaw', 'ttl': 120} 2021-02-26 21:23:30,498:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "POST /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records HTTP/1.1" 200 None 2021-02-26 21:23:30,647:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records?type=TXT&name=_acme-challenge.domain.tld&content=0PGS80GcKuU434KryKNpTSOiKycHdmnJRACiqJ_oRaw&per_page=1 HTTP/1.1" 200 None 2021-02-26 21:23:30,648:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Successfully added TXT record with record_id: ffe03bc2d9bfcab1df23e6c1a53e53c5 2021-02-26 21:23:30,654:INFO:certbot.plugins.dns_common:Waiting 10 seconds for DNS changes to propagate 2021-02-26 21:23:40,664:INFO:certbot._internal.auth_handler:Waiting for verification... 2021-02-26 21:23:40,665:DEBUG:acme.client:JWS payload: b'{}' 2021-02-26 21:23:40,670:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw: { "protected": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "signature": "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY", "payload": "e30" } 2021-02-26 21:23:40,758:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/11175401054/6XREOw HTTP/1.1" 200 185 2021-02-26 21:23:40,759:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 27 Feb 2021 03:23:40 GMT Content-Type: application/json Content-Length: 185 Connection: keep-alive Boulder-Requester: 114015465 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/11175401054>;rel="up" Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw Replay-Nonce: 0103xnKvAWqIss_twR_hJmW9cJbjhbs_8uyBKdM9gPeOvB8 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw", "token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZz" } 2021-02-26 21:23:40,759:DEBUG:acme.client:Storing nonce: 0103xnKvAWqIss_twR_hJmW9cJbjhbs_8uyBKdM9gPeOvB8 2021-02-26 21:23:41,760:DEBUG:acme.client:JWS payload: b'' 2021-02-26 21:23:41,764:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/11175401054: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE0MDE1NDY1IiwgIm5vbmNlIjogIjAxMDN4bkt2QVdxSXNzX3R3Ul9oSm1XOWNKYmpoYnNfOHV5QktkTTlnUGVPdkI4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTE3NTQwMTA1NCJ9", "signature": "QsIm-fkrbOceVUuPUyW6uHj9-Dv6LHHFbcoeeTX1G-QNwHwHfGOxnXkG1iNKpEAN5iTs9Gv_Kwpz3S3z9rxWU9KCwqysY1v6MnEY_Z3r1ITjeNszGvI7IuyhssF_nO5i3i958j0NyTihOzJSz1WJyKPxxREgtQK3b7EC_iEj42yZvXeTEBNVcSEMK2Vn6TrR861oRxFA-9aCRRXEdwMfxlRj7ZCTrgE2kVlGKrpavaKfPkbP_A6cwB2YDNfS1jVkF2MQjKL7SjP5TuF4GgO8WP-6VbCex-HF7_Vuq_CHQudMVcr08VBvZ7OYLBefbl4vPqhmmZt9gD87a09nao2OmQ", "payload": "" } 2021-02-26 21:23:41,836:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11175401054 HTTP/1.1" 200 612 2021-02-26 21:23:41,837:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 27 Feb 2021 03:23:41 GMT Content-Type: application/json Content-Length: 612 Connection: keep-alive Boulder-Requester: 114015465 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0103F7VcPXfmBVWcUVDro1iPn833A1gklzgK-zXDENhTXfc X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "identifier": { "type": "dns", "value": "domain.tld" }, "status": "invalid", "expires": "2021-03-06T03:23:29Z", "challenges": [ { "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Incorrect TXT record \"gLcdm1_Fu2KVg89N_7tixugRhhTThq6ymzp8k99J-jk\" found at _acme-challenge.domain.tld", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw", "token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" } ], "wildcard": true } 2021-02-26 21:23:41,837:DEBUG:acme.client:Storing nonce: 0103F7VcPXfmBVWcUVDro1iPn833A1gklzgK-zXDENhTXfc 2021-02-26 21:23:41,838:WARNING:certbot._internal.auth_handler:Challenge failed for domain domain.tld 2021-02-26 21:23:41,838:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.tld 2021-02-26 21:23:41,838:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server: Domain: domain.tld Type: unauthorized Detail: Incorrect TXT record "gLcdm1_Fu2KVg89N_7tixugRhhTThq6ymzp8k99J-jk" found at _acme-challenge.domain.tld To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. 2021-02-26 21:23:41,839:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2021-02-26 21:23:41,839:DEBUG:certbot._internal.error_handler:Calling registered functions 2021-02-26 21:23:41,839:INFO:certbot._internal.auth_handler:Cleaning up challenges 2021-02-26 21:23:41,849:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443 2021-02-26 21:23:42,080:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.tld&per_page=1 HTTP/1.1" 200 None 2021-02-26 21:23:42,083:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of a80070038ab3786d13f8e7b7d40bf9bd for domain.tld using name domain.tld 2021-02-26 21:23:42,227:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records?type=TXT&name=_acme-challenge.domain.tld&content=0PGS80GcKuU434KryKNpTSOiKycHdmnJRACiqJ_oRaw&per_page=1 HTTP/1.1" 200 None 2021-02-26 21:23:42,377:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "DELETE /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records/ffe03bc2d9bfcab1df23e6c1a53e53c5 HTTP/1.1" 200 None 2021-02-26 21:23:42,378:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Successfully deleted TXT record. 2021-02-26 21:23:42,381:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 11, in <module> load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')() File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main return internal_main.main(cli_args) File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1347, in main return config.func(config, plugins) File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1233, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, best_effort) File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. /config/log/letsencrypt # ```
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@JesseRedfield commented on GitHub (Mar 9, 2021):

This feels like it is some kind of race condition. So I was messing with this in a rather slow staging VM running in 1 CPU core on a 2014 macbook air, and was unable to generate any SSL certificates UNLESS after every internal server error I just immediately spammed a retry.

I think what is happening is that the web server that hosts the challenge file that letsencrypt is looking for is not coming up fast enough for the challenge. So what the NGINX Proxy Manager is doing in the background is it is taking down whatever it is that you have occupying port 80 at that domain name, replacing the config with a new server that will host the challenge file at port https://domain.com/.well-known/acme-challenge/

Before this host is actually up, running, and reachable, it is telling the certbot to go ahead and continue the challenge request, and then of course since it can't reach that destination the cert process fails.

You can see the residual effect of this when it is done, it takes about a minute after a cert request for the Congratulations! default landing page for nginx proxy to come back online on my test setup. Basically certbot is beating the webservice coming up with the challenge file and winning the race condition to your failure.

Hammering on renew before the webservice comes back to the congratulations page did it for me, it also fills up the letsencrypt folder with tons of garbage certs =/ This happens both with this image and the newest image from here: https://github.com/jlesage/docker-nginx-proxy-manager/compare.

I Don't know if this setup is using the nginx instance to host the challenge file, or using the auto host built into certbot, but either port 80 isn't unbinding fast enough or the switch to the certbot challenge file host isn't happening quick enough.

<!-- gh-comment-id:793289993 --> @JesseRedfield commented on GitHub (Mar 9, 2021): This feels like it is some kind of race condition. So I was messing with this in a rather slow staging VM running in 1 CPU core on a 2014 macbook air, and was unable to generate any SSL certificates UNLESS after every internal server error I just immediately spammed a retry. I think what is happening is that the web server that hosts the challenge file that letsencrypt is looking for is not coming up fast enough for the challenge. So what the NGINX Proxy Manager is doing in the background is it is taking down whatever it is that you have occupying port 80 at that domain name, replacing the config with a new server that will host the challenge file at port https://domain.com/.well-known/acme-challenge/<SOMEID> Before this host is actually up, running, and reachable, it is telling the certbot to go ahead and continue the challenge request, and then of course since it can't reach that destination the cert process fails. You can see the residual effect of this when it is done, it takes about a minute after a cert request for the Congratulations! default landing page for nginx proxy to come back online on my test setup. Basically certbot is beating the webservice coming up with the challenge file and winning the race condition to your failure. Hammering on renew before the webservice comes back to the congratulations page did it for me, it also fills up the letsencrypt folder with tons of garbage certs =/ This happens both with this image and the newest image from here: https://github.com/jlesage/docker-nginx-proxy-manager/compare. I Don't know if this setup is using the nginx instance to host the challenge file, or using the auto host built into certbot, but either port 80 isn't unbinding fast enough or the switch to the certbot challenge file host isn't happening quick enough.
kerem commented 2026-02-26 06:34:14 +03:00
Author
Owner
Copy link

@JesseRedfield commented on GitHub (Mar 14, 2021):

This is an issue in certbot nginx, see: https://github.com/certbot/certbot/pull/8163

they implemented a feature to wait for nginx to start back up after changing it's configuration, it's a hard timer.

certbot now has a command line parameter --nginx-sleep-seconds for doing it's job on slower machines where nginx may not start up fast enough.

I found this as I was trying to use letsencrypt with a plain nginx system after I could not get a certificate using nginxproxymanager.

<!-- gh-comment-id:799005404 --> @JesseRedfield commented on GitHub (Mar 14, 2021): This is an issue in certbot nginx, see: https://github.com/certbot/certbot/pull/8163 they implemented a feature to wait for nginx to start back up after changing it's configuration, it's a hard timer. certbot now has a command line parameter --nginx-sleep-seconds <SECONDS> for doing it's job on slower machines where nginx may not start up fast enough. I found this as I was trying to use letsencrypt with a plain nginx system after I could not get a certificate using nginxproxymanager.
kerem commented 2026-02-26 06:34:15 +03:00
Author
Owner
Copy link

@focher commented on GitHub (Jun 29, 2021):

Any idea when this fix will be implemented in Proxy Manager?

<!-- gh-comment-id:870971210 --> @focher commented on GitHub (Jun 29, 2021): Any idea when this fix will be implemented in Proxy Manager?
kerem commented 2026-02-26 06:34:15 +03:00
Author
Owner
Copy link

@jc21 commented on GitHub (Jun 29, 2021):

From the documentation, --nginx-sleep-seconds seems only to apply for the certbot nginx plugin. We don't use that as we control nginx reloads manually.

From the code path I can't see how the reloading of nginx wouldn't be completed prior to requesting a cert via certbot however an additional check for nginx being up could be added rather easily.

<!-- gh-comment-id:870977004 --> @jc21 commented on GitHub (Jun 29, 2021): From the documentation, `--nginx-sleep-seconds` seems only to apply for the certbot nginx plugin. We don't use that as we control nginx reloads manually. From the code path I can't see how the reloading of nginx wouldn't be completed prior to requesting a cert via certbot however an additional check for nginx being up could be added rather easily.
kerem commented 2026-02-26 06:34:15 +03:00
Author
Owner
Copy link

@TWART016 commented on GitHub (Dec 29, 2021):

Hi,

I have the same error:
"Incorrect TXT record \"MYDOMAIN\" found at _acme-challenge.MYDOMAIN"

is there a solution in the meantime?

<!-- gh-comment-id:1002817682 --> @TWART016 commented on GitHub (Dec 29, 2021): Hi, I have the same error: `"Incorrect TXT record \"MYDOMAIN\" found at _acme-challenge.MYDOMAIN"` is there a solution in the meantime?
kerem commented 2026-02-26 06:34:15 +03:00
Author
Owner
Copy link

@chaptergy commented on GitHub (Dec 30, 2021):

As failing to create a certificate and the "internal error" is a very generic error, this issue has ended up containing a huge mix off entirely different issues, which are not connected. Hence I will go ahead and close this issue, to prevent it from becoming a graveyard for different problems. You can go ahead an open a new issue with specifics to your issue. https://github.com/jc21/nginx-proxy-manager/issues/1271 Will help you get started.

<!-- gh-comment-id:1003006251 --> @chaptergy commented on GitHub (Dec 30, 2021): As failing to create a certificate and the "internal error" is a very generic error, this issue has ended up containing a huge mix off entirely different issues, which are not connected. Hence I will go ahead and close this issue, to prevent it from becoming a graveyard for different problems. You can go ahead an open a new issue with specifics to your issue. https://github.com/jc21/nginx-proxy-manager/issues/1271 Will help you get started.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#745
No description provided.