meiro-zz commented 1 year ago

Hello,

It looks like too many requests are being sent for certificate renewal. Port 80 was not enabled in the router, so the requests are bounced. Apparently so many requests went out that after the port was released, the error message below was in the logs. "Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
The renewal of the certificate npm-10 failed with an error: Unexpected error while determining the zone identifier for mydom.de: More than 180 requests per minute. Please wait and try again later. Please contact our customer service to find out if the limit of requests can be increased. (4013)"

The message here is in response to a tip from the Unraid forum.

Thanks and greetings

Nginx Proxy Manager Version v2.9.19

To Reproduce Steps to reproduce the behavior:

Go to 'SSL Certificates'
Click on 'Renew Now'
See error in log

Expected behavior Renew cert

Operating System Unraid, Docker

sebasdt commented 1 year ago

I can say this is also for when trying to gain a new cert while 80 and 443 ports are open.

System: docker amd64 with version v2.9.19.

Couldnt get it to work and seems to mee certbot broke.


  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-03-02 13:35:28,786:ERROR:certbot._internal.log:Some challenges have failed.```

AirstarsAsia commented 1 year ago

I see that NPM has changed the package name From lets-encrypt https://www.npmjs.com/package/letsencrypt

letsencrypt for node is now greenlock.js

I guess this broke stuff.

sebasdt commented 1 year ago

I see that NPM has changed the package name From lets-encrypt https://www.npmjs.com/package/letsencrypt

letsencrypt for node is now greenlock.js

I guess this broke stuff.

Okay great, is there a fix it that we can use now? I guess renaming the file or what. Where is it located?

leonardoangelini commented 1 year ago

When I try to get the certificate I receive this error

`Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-23" --agree-tos --authenticator webroot --email "xxx@xxx.xx" --preferred-challenges "dns,http" --domains "aaaaa.bbbb.cc" Saving debug log to /var/log/letsencrypt/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

`

ckoeber83 commented 1 year ago

Can you integrate a renewing of certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

leonardoangelini commented 1 year ago

This is for a new certificate:

` Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --authenticator webroot --email "xxx@.xxx.xx" --preferred-challenges "dns,http" --domains "aaa.bbb.cc" Saving debug log to /var/log/letsencrypt/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

`

This is letsencrypt.log

2023-03-03 15:10:01,277:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 8, in <module> sys.exit(main()) File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1744, in main return config.func(config, plugins) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1591, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2023-03-03 15:10:01,278:ERROR:certbot._internal.log:Some challenges have failed.

bmmmm commented 1 year ago

Can you integrate a renewing of certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

This is a core function of nginx proxy manager and was working before like a charm :) it looks like there are some bugs currently around.

At the moment the community is teaming up and looking for workarounds, as developers are currently preparing the new release: https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/1202

My current workaround is, to delete an old cert and create a new one, if you haven't tried.

GitMeier commented 1 year ago

Renewing certificates failed for me. I was able to use this: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2411

(For now) I replaced the line image: 'jc21/nginx-proxy-manager:latest' in my docker-compose.yaml file with image: 'jc21/nginx-proxy-manager:github-pr-2411' Certificate renewal worked again after that.

schumi2004 commented 1 year ago

You would expect #2411 to be working in latest docker image right?

Since i installed version: v2.9.20 i'm getting this error on renewal:

[3/16/2023] [1:16:08 PM] [Express ] › ⚠ warning invalid signature QueryBuilder#allowEager method is deprecated. You should use allowGraph instead. allowEager method will be removed in 3.0 QueryBuilder#eager method is deprecated. You should use the withGraphFetched method instead. eager method will be removed in 3.0 QueryBuilder#omit is deprecated. This method will be removed in version 3.0 Model#$omit is deprected and will be removed in 3.0. [3/16/2023] [1:16:31 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates via TransIP for Cert #1: *.mydomain.com, mydomain.com [3/16/2023] [1:16:31 PM] [SSL ] › ℹ info Command: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew [3/16/2023] [1:16:32 PM] [Express ] › ⚠ warning Command failed: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew Traceback (most recent call last): File "/usr/bin/certbot", line 5, in from certbot.main import main File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 6, in from certbot._internal import main as internal_main File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 21, in import josepy as jose File "/opt/certbot/lib/python3.7/site-packages/josepy/init.py", line 40, in from josepy.json_util import ( File "/opt/certbot/lib/python3.7/site-packages/josepy/json_util.py", line 14, in from OpenSSL import crypto File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/init.py", line 8, in from OpenSSL import crypto, SSL File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1517, in class X509StoreFlags(object): File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1537, in X509StoreFlags CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'

/edit: Reverted back to version 2.19.9 and it seems to be working again.

instantdreams commented 1 year ago

I am attempting a DNS challenge with the following settings:

Domain Name: *.example.com
Email Address: [email address]
Use DNS Challenge: Selected
DNS Provider: Azure

Credentials File Content:


# Service Principal
dns_azure_sp_client_id = [token]
dns_azure_sp_client_secret = [token]
dns_azure_tenant_id = [token]

Zones

dns_azure_zone1 = example.com:/subscriptions/[subscription]/resourceGroups/[group]

* Propagation Seconds: **[blank]**
* Terms of Service: **Agreed**

On selecting `Save` the application processes for a while then returns the following error message:

Internal Error Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-28" --agree-tos --email "[email address]" --domains "*.example.com" --authenticator dns-azure --dns-azure-credentials "/etc/letsencrypt/credentials/credentials-28" Traceback (most recent call last): File "/usr/bin/certbot", line 5, in from certbot.main import main File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 6, in from certbot._internal import main as internal_main File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 21, in import josepy as jose File "/opt/certbot/lib/python3.7/site-packages/josepy/init.py", line 40, in from josepy.json_util import ( File "/opt/certbot/lib/python3.7/site-packages/josepy/json_util.py", line 14, in from OpenSSL import crypto File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/init.py", line 8, in from OpenSSL import crypto, SSL File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1517, in class X509StoreFlags(object): File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1537, in X509StoreFlags CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)



I will revert to previous version and test again.

**ETA: Reverted to v2.9.19. Generation of certificate worked.**

sebasdt commented 1 year ago

Sad to see, there must be a version out there that works.

In the meantime I have mirgated to the normal nginx rporxy, someday I will go back to using npm. Sometimes the simplest solution will just works.

greenfishgit23222 commented 1 year ago

I have the same problem. Downgrading to other versions doens't work either. A few weeks ago this app worked great now it doesnt anymore.

kingfisher77 commented 1 year ago

In a fresh installation, we see this error message by initially setup ACME with Azure dns-challenge:

Error: Command failed: . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-azure~=1.2.0  && deactivate
ERROR: Will not install to the user site because it will lack sys.path precedence to cryptography in /opt/certbot/lib/python3.7/site-packages

What could be the cause?

kingfisher77 commented 1 year ago

The error appears when i call this part of the pipelline create dns-challenge

pip install --no-cache-dir --user certbot-dns-azure~=1.2.0
...
ERROR: Will not install to the user site because it will lack sys.path precedence to cryptography in /opt/certbot/lib/python3.7/site-packages

from here:

. /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-azure~=1.2.0 && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-0" --agree-tos --email "admin@shift.agency" --domains "*.shift.agency,shift.agency" --authenticator dns-azure --dns-azure-credentials "/etc/letsencrypt/credentials/test.ini"

The used Azure credentials works in other environment (pfSense). But by then the process won't even get there.

github-actions[bot] commented 9 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1:

ckoeber83 commented 9 months ago

Glad, Can confirm that SSL renewing ist back working 👍🏻 IMG_20240127_085453

Thanks in advance 👍🏻

github-actions[bot] commented 4 days ago

Issue is now considered stale. If you want to keep it open, please comment :+1:

NginxProxyManager / nginx-proxy-manager

Let's Encrypt SSL certificates renewe #2642

Zones