starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-26 01:45:54 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1109] npm uses deprecated path for certbot #915

New issue
Closed
opened 2026-02-26 06:34:55 +03:00 by kerem · 12 comments
kerem commented 2026-02-26 06:34:55 +03:00
Owner
Copy link

Originally created by @aparaschiv on GitHub (May 19, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1109

Describe the bug
In jc21/nginx-proxy-manager:latest (2.9.2) npm is using the old certbot path const certbot_command = '/opt/certbot/bin/certbot';
This behavior breaks issuing/renewing let's encrypt certs with Cloudflare.

[5/19/2021] [3:04:20 PM] [SSL      ] › ✖  error     Error: Command failed: /opt/certbot/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf (cert: npm-2) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf (cert: npm-3) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf (cert: npm-4) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf (cert: npm-5) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-6.conf (cert: npm-6) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
0 renew failure(s), 5 parse failure(s)
    at ChildProcess.exithandler (node:child_process:326:12)
    at ChildProcess.emit (node:events:369:20)
    at maybeClose (node:internal/child_process:1067:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0

and

[5/19/2021] [3:29:29 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Cloudflare for Cert #14: *.redacted, redacted
[5/19/2021] [3:29:30 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/19/2021] [3:29:30 PM] [Express  ] › ⚠  warning   Command failed: /opt/certbot/bin/certbot certonly --non-interactive --cert-name "npm-14" --agree-tos --email "redacted_email" --domains "*.redacted,redacted" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-14"
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --dns-cloudflare-credentials /etc/letsencrypt/credentials/credentials-14

I saw in the changelogs that the image comes with certbot preinstalled. It is already included in the PATH, but can also be added as a constant
which certbot /usr/local/bin/certbot

Using this version of certbot fixes the issue.

For example:

[root@docker-97ed925400b5:/app]# certbot renew --cert-name "npm-6"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-6.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate for redacted
Performing the following challenges:
dns-01 challenge for redacted
dns-01 challenge for redacted
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/npm-6/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/npm-6/fullchain.pem (success)
Originally created by @aparaschiv on GitHub (May 19, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1109 **Describe the bug** In `jc21/nginx-proxy-manager:latest` (2.9.2) npm is using the old certbot path `const certbot_command = '/opt/certbot/bin/certbot';` This behavior breaks issuing/renewing let's encrypt certs with Cloudflare. ``` [5/19/2021] [3:04:20 PM] [SSL ] › ✖ error Error: Command failed: /opt/certbot/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf (cert: npm-2) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf (cert: npm-3) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf (cert: npm-4) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf (cert: npm-5) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-6.conf (cert: npm-6) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. 0 renew failure(s), 5 parse failure(s) at ChildProcess.exithandler (node:child_process:326:12) at ChildProcess.emit (node:events:369:20) at maybeClose (node:internal/child_process:1067:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0 `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0 QueryBuilder#omit is deprecated. This method will be removed in version 3.0 ``` and ``` [5/19/2021] [3:29:29 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates via Cloudflare for Cert #14: *.redacted, redacted [5/19/2021] [3:29:30 PM] [Nginx ] › ℹ info Reloading Nginx [5/19/2021] [3:29:30 PM] [Express ] › ⚠ warning Command failed: /opt/certbot/bin/certbot certonly --non-interactive --cert-name "npm-14" --agree-tos --email "redacted_email" --domains "*.redacted,redacted" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-14" usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. certbot: error: unrecognized arguments: --dns-cloudflare-credentials /etc/letsencrypt/credentials/credentials-14 ``` I saw in the changelogs that the image comes with certbot preinstalled. It is already included in the PATH, but can also be added as a constant `which certbot /usr/local/bin/certbot` Using this version of certbot fixes the issue. For example: ``` [root@docker-97ed925400b5:/app]# certbot renew --cert-name "npm-6" Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/npm-6.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator dns-cloudflare, Installer None Renewing an existing certificate for redacted Performing the following challenges: dns-01 challenge for redacted dns-01 challenge for redacted Waiting 10 seconds for DNS changes to propagate Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/npm-6/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded: /etc/letsencrypt/live/npm-6/fullchain.pem (success)
kerem 2026-02-26 06:34:55 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@yieldhog commented on GitHub (May 28, 2021):

@aparaschiv @chaptergy I am running Docker on Synology (latest, 2.9.3) -- any idea what commands I need to fix this issue? Thanks

<!-- gh-comment-id:850701320 --> @yieldhog commented on GitHub (May 28, 2021): @aparaschiv @chaptergy I am running Docker on Synology (latest, 2.9.3) -- any idea what commands I need to fix this issue? Thanks
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@aparaschiv commented on GitHub (May 31, 2021):

@yieldhog If you only need to renew your expiring certificates, you can re-run the command it runs at npm startup inside the container, but change the path of certbot.
By default the images uses certbot from /opt/certbot/bin/certbot. If you use the one located here /usr/local/bin/certbot, the cloudflare plugin works.
So, on your machine that runs the docker container run:
docker exec -ti your_npm_container_name bash
and inside the container
/usr/local/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
This will renew all expiring certificates, the only caveat is that it won't get updated in the GUI.

The alternative route I took is to rebuild the container locally using the certbot located in /usr/local/bin/certbot, which solved the GUI problem.

<!-- gh-comment-id:851347351 --> @aparaschiv commented on GitHub (May 31, 2021): @yieldhog If you only need to renew your expiring certificates, you can re-run the command it runs at npm startup inside the container, but change the path of certbot. By default the images uses certbot from `/opt/certbot/bin/certbot`. If you use the one located here `/usr/local/bin/certbot`, the cloudflare plugin works. So, on your machine that runs the docker container run: `docker exec -ti your_npm_container_name bash` and inside the container `/usr/local/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation` This will renew all expiring certificates, the only caveat is that it won't get updated in the GUI. The alternative route I took is to rebuild the container locally using the certbot located in `/usr/local/bin/certbot`, which solved the GUI problem.
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@jerkball commented on GitHub (Jun 1, 2021):

Thank you for the ticket and your workaround.
Everything worked well renewing the certificates.

Hopefully the fix well be in upstream fast. But as I can't code and contribute, I'm happy with the workaround as well +1

<!-- gh-comment-id:852127827 --> @jerkball commented on GitHub (Jun 1, 2021): Thank you for the ticket and your workaround. Everything worked well renewing the certificates. Hopefully the fix well be in upstream fast. But as I can't code and contribute, I'm happy with the workaround as well +1
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@scottpage commented on GitHub (Jun 2, 2021):

I deleted my existing cert to fix another issue "another instance of certbot is already running" from the previous version of NPM, then I experienced the above issue after upgrading to the latest image.

Since I deleted my cert, I wasn't able to follow the "renew" instructions from above.
I copied and overwrote /usr/local/bin/certbot to /opt/certbot/bin/certbot, and was able to create a cert.

Man, two major bugs in 10 minutes.
Hopefully this gets patched ASAP.

<!-- gh-comment-id:853356935 --> @scottpage commented on GitHub (Jun 2, 2021): I deleted my existing cert to fix another issue "another instance of certbot is already running" from the previous version of NPM, then I experienced the above issue after upgrading to the latest image. Since I deleted my cert, I wasn't able to follow the "renew" instructions from above. I copied and overwrote `/usr/local/bin/certbot` to `/opt/certbot/bin/certbot`, and was able to create a cert. Man, two major bugs in 10 minutes. Hopefully this gets patched ASAP.
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@yieldhog commented on GitHub (Jun 3, 2021):

@aparaschiv thanks!

<!-- gh-comment-id:853522143 --> @yieldhog commented on GitHub (Jun 3, 2021): @aparaschiv thanks!
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@Na3blis commented on GitHub (Jun 4, 2021):

@aparaschiv I'm on 2.9.3, but I don't have certbot in /usr/local/bin. When I look at the dir I only have:

[root@docker-1ddfaee157f8:/app]# ls /usr/local/bin
json2lua
lua
lua2json
luac
luarocks
luarocks-admin
pip
pip3
pip3.7
wheel
<!-- gh-comment-id:854995178 --> @Na3blis commented on GitHub (Jun 4, 2021): @aparaschiv I'm on 2.9.3, but I don't have certbot in /usr/local/bin. When I look at the dir I only have: ``` [root@docker-1ddfaee157f8:/app]# ls /usr/local/bin json2lua lua lua2json luac luarocks luarocks-admin pip pip3 pip3.7 wheel ```
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@spanjap commented on GitHub (Jun 10, 2021):

@aparaschiv. Your solution is working great for the time being.
When you use the "Renew Now" button on the SSL Certificates page with the 3 vertical dots then the date of the certificate is adjusted to the new Expire Date.
Wanted to let it know.

<!-- gh-comment-id:858681594 --> @spanjap commented on GitHub (Jun 10, 2021): @aparaschiv. Your solution is working great for the time being. When you use the "Renew Now" button on the SSL Certificates page with the 3 vertical dots then the date of the certificate is adjusted to the new Expire Date. Wanted to let it know.
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@aparaschiv commented on GitHub (Jun 10, 2021):

Ok, cool, thank you for sharing!
Hopefully we will get a fix for this in the near future

<!-- gh-comment-id:858682857 --> @aparaschiv commented on GitHub (Jun 10, 2021): Ok, cool, thank you for sharing! Hopefully we will get a fix for this in the near future
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@chaptergy commented on GitHub (Jun 17, 2021):

Which certbot version do you get with each of the possibilities? so with /opt/certbot/bin/certbot --version and /usr/local/bin/certbot --version?

<!-- gh-comment-id:863577931 --> @chaptergy commented on GitHub (Jun 17, 2021): Which certbot version do you get with each of the possibilities? so with `/opt/certbot/bin/certbot --version` and `/usr/local/bin/certbot --version`?
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@spanjap commented on GitHub (Jun 18, 2021):

I checked it by connecting to my docker installation with "sudo docker exec -ti nginx-proxy-manager bash"

/opt/certbot/bin/certbot --version
certbot 1.15.0

/usr/local/bin/certbot --version
certbot 1.16.0

<!-- gh-comment-id:863773152 --> @spanjap commented on GitHub (Jun 18, 2021): I checked it by connecting to my docker installation with "sudo docker exec -ti nginx-proxy-manager bash" /opt/certbot/bin/certbot --version certbot 1.15.0 /usr/local/bin/certbot --version certbot 1.16.0
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@pgk83 commented on GitHub (Jul 1, 2021):

Hi, I solve my problem with this bash commands in the container ( sudo docker exec -ti nginx-proxy-manager bash ):

mkdir -p /opt/certbot/bin/certbot

cp -a /usr/bin/certbot /opt/certbot/bin/certbot

delete all experied cert and renew.
My certbot dir was:

which certbot /usr/local/bin/certbot =>
/usr/bin/certbot

<!-- gh-comment-id:872108357 --> @pgk83 commented on GitHub (Jul 1, 2021): Hi, I solve my problem with this bash commands in the container ( sudo docker exec -ti nginx-proxy-manager bash ): mkdir -p /opt/certbot/bin/certbot cp -a /usr/bin/certbot /opt/certbot/bin/certbot delete all experied cert and renew. My certbot dir was: which certbot /usr/local/bin/certbot => /usr/bin/certbot
kerem commented 2026-02-26 06:34:56 +03:00
Author
Owner
Copy link

@schevenin commented on GitHub (Sep 4, 2021):

Hi, I solve my problem with this bash commands in the container ( sudo docker exec -ti nginx-proxy-manager bash ):

mkdir -p /opt/certbot/bin/certbot

cp -a /usr/bin/certbot /opt/certbot/bin/certbot

delete all experied cert and renew.
My certbot dir was:

which certbot /usr/local/bin/certbot =>
/usr/bin/certbot

How did you change which certbot your system was using? Mine still uses /opt/certbot/bin/certbot

<!-- gh-comment-id:913051247 --> @schevenin commented on GitHub (Sep 4, 2021): > > > Hi, I solve my problem with this bash commands in the container ( sudo docker exec -ti nginx-proxy-manager bash ): > > mkdir -p /opt/certbot/bin/certbot > > cp -a /usr/bin/certbot /opt/certbot/bin/certbot > > delete all experied cert and renew. > My certbot dir was: > > which certbot /usr/local/bin/certbot => > /usr/bin/certbot How did you change which certbot your system was using? Mine still uses /opt/certbot/bin/certbot
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#915
No description provided.