search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
20.85k stars 2.42k forks source link

Error creating let's encrypt certificates. #2565

Open vdhub opened 1 year ago

vdhub commented 1 year ago

Checklist

Describe the bug

I started the docker image after a while and i saw the certs expired, i tried to renew and ie get error and then it says Make sure NPM is installed.

for the log of the proxy i have the following

1/27/2023] [7:56:16 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-51" --agree-tos --authenticator webroot --email "email address" --preferred-challenges "dns,http" --domains "domain" Another instance of Certbot is already running.

Seeing the log it says the following

/tmp/tmpqptp28lj # tail -f log File "/usr/lib/python3.9/site-packages/certbot/_internal/lock.py", line 45, in init self.acquire() File "/usr/lib/python3.9/site-packages/certbot/_internal/lock.py", line 60, in acquire self._lock_mechanism.acquire() File "/usr/lib/python3.9/site-packages/certbot/_internal/lock.py", line 112, in acquire self._try_lock(fd) File "/usr/lib/python3.9/site-packages/certbot/_internal/lock.py", line 130, in _try_lock raise errors.LockError('Another instance of Certbot is already running.') certbot.errors.LockError: Another instance of Certbot is already running. 2023-01-27 19:56:15,874:ERROR:certbot._internal.log:Another instance of Certbot is already running.

Nginx Proxy Manager Version

Latest

To Reproduce Steps to reproduce the behavior:

  1. Go to '...' Hosts -> proxy Hosts

  2. Click on '....' Add Proxy host.

  3. Scroll down to '....' Go to SSL, require new certificate , select needed. Press Save

  4. See error Internal error...

Expected behavior

To issue the cert and to work

Screenshots

Operating System

X64 server , running Docker

Additional context

vdhub commented 1 year ago

Just tried to generate the SSL separate as i used to : i get this on the page

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-54" --agree-tos --authenticator webroot --email "email" --preferred-challenges "dns,http" --domains "domain" Saving debug log to /var/log/letsencrypt/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:399:12)
at ChildProcess.emit (node:events:526:28)
at maybeClose (node:internal/child_process:1092:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

On test reachability i get this :

Test Server Reachability Communication with the API failed, is NPM running correctly?

Hope it helps

bitfl0wer commented 1 year ago

Can reproduce. Had certbot issues for a while, but they seem to have gotten worse. Error on creating SSL Certificate: nginxproxymanager-app-1 | [1/31/2023] [12:22:28 PM] [Nginx ] › ℹ info Reloading Nginx nginxproxymanager-app-1 | [1/31/2023] [12:22:33 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #24: search.bitfl0wer.de nginxproxymanager-app-1 | [1/31/2023] [12:22:33 PM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --authenticator webroot --email "REDACTED" --preferred-challenges "dns,http" --domains "REDACTED" nginxproxymanager-app-1 | [1/31/2023] [12:22:37 PM] [Nginx ] › ℹ info Reloading Nginx nginxproxymanager-app-1 | [1/31/2023] [12:22:37 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --authenticator webroot --email "REDACTED" --preferred-challenges "dns,http" --domains "REDACTED" nginxproxymanager-app-1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log nginxproxymanager-app-1 | An unexpected error occurred: nginxproxymanager-app-1 | Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/ nginxproxymanager-app-1 | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. nginxproxymanager-app-1 |

/var/log/letsencrypt/letsencrypt.log reads: 2023-01-31 12:24:24,457:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 8, in <module> sys.exit(main()) File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1744, in main return config.func(config, plugins) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1591, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 492, in _get_order_and_authorizations orderr = self.acme.new_order(csr_pem) File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 953, in new_order return cast(ClientV2, self.client).new_order(csr_pem) File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 714, in new_order response = self._post(self.directory['newOrder'], order) File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 114, in _post return self.net.post(*args, **kwargs) File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 1289, in post return self._post_once(*args, **kwargs) File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 1303, in _post_once response = self._check_response(response, content_type=content_type) File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 1149, in _check_response raise messages.Error.from_json(jobj) acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/ 2023-01-31 12:24:24,461:ERROR:certbot._internal.log:An unexpected error occurred: 2023-01-31 12:24:24,461:ERROR:certbot._internal.log:Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/

Vegas10128 commented 1 year ago

Looks like I'm not the only one with SSL Registration and Renewal issues.. Wonder how long this is going to take for this to be fixed.

Its been a while since I have been on the github page, has there been any updates recently to this repo? Wondering if doing a downgrade might fix the issue for now.

bitfl0wer commented 1 year ago

A temporary fix for me was to change the port of the application I was trying to get a certificate for. I had a webserver running on port 5000. changed the port to 5001 and then the certificate got generated. Weird.

Vegas10128 commented 1 year ago

A temporary fix for me was to change the port of the application I was trying to get a certificate for. I had a webserver running on port 5000. changed the port to 5001 and then the certificate got generated. Weird.

That does work! But we still have issues trying to get new certificates for new domains.....

Vegas10128 commented 1 year ago

I have recently restarted Ubuntu and tried to start the container and found that Port 53 is being used by another service.

ERROR: for nginxproxymanager_app_1 Cannot start service app: driver failed programming external connectivity on endpoint nginxproxymanager_app_1 (4badd90df063f138d1c0f3079043113506e6a3a602d923da1d2303fc136f9985): Error starting userland proxy: listen tcp4 0.0.0.0:53: bind: address already in use

Been trying to trouble shoot this issue directly because now Nginx Proxy Manager does not work at all after reboot. Any Ideas? Using 18.04.

No0Vad commented 1 year ago

Port 53 is used for DNS, I think systemd-resolved is using that by default in Ubuntu

Vegas10128 commented 1 year ago

Port 53 is used for DNS, I think systemd-resolved is using that by default in Ubuntu

I tried that, i even went as far as installing an OS on another machine. Fresh install with container then after trying to install the 2nd SSL certificate were back to same issue when trying to generate new certificates.

"Internal Error" and "Communication with the API failed, is NPM running correctly?"

macgyver2k commented 1 year ago

I was experiencing the same problem. Removing all unreachable hosts solved it. I had a host whose DNS was pointing to another IP than my Proxy, so LetsEncrypt could not reach the .well-known endpoint.

Stibila commented 1 year ago

Same problem here. According the letsencrypt.log fetching HTTP challenge failed due to timeout:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: domain.example.com Type: connection Detail: XX.XX.XX.XX: Fetching https://domain.example.com/.well-known/acme-challenge/Mi-qEs1byUk-M4133vU8MYp47hkb93MCu6KMuHGsdWo: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-02-02 13:35:00,244:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed.

It's weird, because challenge is accessible without any problem. curl 'https://domain.example.com/.well-known/acme-challenge/test-challenge' returns Success

lolekuk commented 1 year ago

are you guys using cloudflare dns host? if so, have a look for a quick solution here: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2011 Basically switch to Cloudflare own certs rather than trying to use let's encrypt.

Stibila commented 1 year ago

No cloudflare. Self hosted without any 3rd party service in between.

I was able to get the certs signed without any problem when I deployed it some time in November, but now the won't renew.

sebasdt commented 1 year ago

Hey it has been a month now. Has anyone found a fix?

Im only able to request SSL certificates via dns, let's encrypt says internal error.

If someone can help me find the logs I'll happily provide them.

bmmmm commented 1 year ago

I have recently restarted Ubuntu and tried to start the container and found that Port 53 is being used by another service.

ERROR: for nginxproxymanager_app_1 Cannot start service app: driver failed programming external connectivity on endpoint nginxproxymanager_app_1 (4badd90df063f138d1c0f3079043113506e6a3a602d923da1d2303fc136f9985): Error starting userland proxy: listen tcp4 0.0.0.0:53: bind: address already in use

Been trying to trouble shoot this issue directly because now Nginx Proxy Manager does not work at all after reboot. Any Ideas? Using 18.04.

this port comes from dns-01 plugin

https://eff-certbot.readthedocs.io/en/stable/using.html#getting-certificates-and-choosing-plugins

If you reach the paragraph:

> Some plugins are both authenticators and installers and it is possible to specify a distinct combination of authenticator and plugin.

You have a table which you can move from left to right :)

sebasdt commented 1 year ago

that's weird Somehow cert bot was able to renew and generate new certs... no error in the logs.

bmmmm commented 1 year ago

perfect! :)

for me "only" renew(-ing) isn't working. When I delete the expiring cert and create a new one. I'm back on track 🚀

github-actions[bot] commented 5 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1: