NPM not renewing certs automatically. Running certbot renew manually inside container however works.

[kevdogg]

Hi I'm using current docker image: jc21/nginx-proxy-manager:latest Version v2.7.2 is reported on the npm login page (after I worked around the problem)

I initially obtained my LE certs in Jan 2021, however they never automatically renewed. I couldn't reach the npm web interface b/c of the hsts error when trying to reach the npm website b/c the certs had expired.

The npm docker container kept running however I kept receiving errors in the docker logs like the following:

[9/9/2021] [1:08:06 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[9/9/2021] [1:11:54 PM] [SSL      ] › ✖  error     Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Challenge failed for domain npm.domain.com
Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Some challenges have failed.. Skipping.

Basically the logs were littered with these types of errors. For background I'm using dns challenge authentication through cloudflare with API (not Global) key.

I've worked with certbot before and manually logged into the container and simply ran:

certbot renew

and just typing this alone -- all the certificates were renewed -- which is super strange since it proves at least my authentication credentials were valid.

So investigating further the command:

usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation

/etc/letsencrypt.ini contains the following:

text = True
non-interactive = True
authenticator = webroot
webroot-path = /data/letsencrypt-acme-challenge

I'm not using a webroot challenge so I'm not sure why this is included in the ini file. Further more the /data partition is an external mounted volume specified in my docker-compose.yml file:

    volumes:
      - /data/npm/npm:/data
      - /etc/ssl/letsencrypt/npm:/etc/letsencrypt
      - /data/npm/ssl-ciphers.conf:/etc/nginx/conf.d/include/ssl-ciphers.conf:ro

Further more --preferred-challenges "dns,http"

Why is http listed as preferred-challenge?

Lastly addressing the other error: Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Some challenges have failed.. Skipping.

The contents of npm-1.conf are the following:

# renew_before_expiry = 30 days
version = 1.4.0
archive_dir = /etc/letsencrypt/archive/npm-1
cert = /etc/letsencrypt/live/npm-1/cert.pem
privkey = /etc/letsencrypt/live/npm-1/privkey.pem
chain = /etc/letsencrypt/live/npm-1/chain.pem
fullchain = /etc/letsencrypt/live/npm-1/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = <REDACTED>
authenticator = dns-cloudflare
dns_cloudflare_credentials = /etc/letsencrypt/credentials/credentials-1
server = https://acme-v02.api.letsencrypt.org/directory

npm run as docker container within a Virtualized Ubuntu 20.04 host within FreeNAS bhyve hypervisor.

Ideally I'd like certs to be renewed automatically without any manual intervention.

[chaptergy]

The certbot config is generic, so it is always the same independent of whether you only use http challenges, only use dns challenges, both or neither.
Unfortunately the certbot console output is very limited, to find out what the actual problem is, we would need the letsencrypt log. See Unable to create or renew certificate on how to access it.

[simeonradivoev]

I also get this, automatic reviewal fails but when I go to the Dashboard and manually update them one by one using the UI, it works without issues

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: