riddertommie
commented
1 year ago Same here.
Let me know if i can do/test/provide something.
Working with docker version v2.9.21
Open greenfishgit23222 opened 1 year ago
riddertommie
commented
1 year ago Same here.
Let me know if i can do/test/provide something.
Working with docker version v2.9.21
greenfishgit23222
commented
1 year ago Same here.
Let me know if i can do/test/provide something.
Working with docker version v2.9.21
After 5 hours of headache I managed to finally get the ssl up and running again!!!
But after 30-60 days when let's encrypt needs renewal i'm afraid this headache will start again because renew ssl doesnt work for me on any of the versions. I have to delete the entire container+config and start from scratch.
What worked for me and it's something I never used before is you go into the category create ssl-certificates, add dns-challenge (new for me) and choose your dns provider and provide your token. Then add your host and point your ssl to your newly created ssl certificate. This only works for me on 2.9.19.
Steps that worked for me
I used this docker-compose-yml
version: '3' services: app: image: 'jc21/nginx-proxy-manager:github-pr-2411' restart: unless-stopped ports:
jc21
commented
1 year ago I can confirm that using 2.9.21 works perfectly fine when requesting a SSL cert using HTTP method just fine, as long as your DNS settings for the domain requesting point directly to NPM.
I can also confirm that manual renewal of this certificate also works fine, as long as that the proxy host for it still exists.
riddertommie
commented
1 year ago Hi, it's still not working for me.
I'm investigating a bit but can't figure it out, help is appreciated.
I have several certificates running and the existing ones work just fine and follow the same configuration and hardware as the ones that have expired and I can't renew.
But I can't manage to request new ones or redo old ones (i did to many request now so i have to wait until tomorrow i think to check again).
At first I thought it might have to do with pi-hole but my server ignores that and when I turn off pi-hole it doesn't work either. Could it be that the requests are coming through ipv6 and I haven't configured that? I'm using DISABLE_IPV6: 'true'
I just don't understand the necessity of -Use a DNS challenge- I use stator as a provider, is this necessary?
I'm a bit stuck. any help is welcome.
Thanks!
Short update, if i press a still working url within NPM is going fine if i do 'test server reach-ability' i get
Communication with the API failed, is NPM running correctly?
EDIflyer
commented
1 year ago I can confirm that using 2.9.21 works perfectly fine when requesting a SSL cert using HTTP method just fine, as long as your DNS settings for the domain requesting point directly to NPM.
I can also confirm that manual renewal of this certificate also works fine, as long as that the proxy host for it still exists.
Thanks @jc21 - sounds good. Does that mean it should have fixed the issues raised in https://github.com/NginxProxyManager/nginx-proxy-manager/issues/396 too? It's just I'm still seeing those renewal errors on some sites...
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [Nginx ] › ℹ info Reloading Nginx
03/20/2023 6:29:14 PM
[3/20/2023] [6:29:14 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
03/20/2023 6:29:14 PM
Failed to renew certificate npm-4 with error: Some challenges have failed.
03/20/2023 6:29:14 PM
Failed to renew certificate npm-6 with error: Some challenges have failed.
03/20/2023 6:29:14 PM
All renewals failed. The following certificates could not be renewed:
03/20/2023 6:29:14 PM
/etc/letsencrypt/live/npm-4/fullchain.pem (failure)
03/20/2023 6:29:14 PM
/etc/letsencrypt/live/npm-6/fullchain.pem (failure)
03/20/2023 6:29:14 PM
2 renew failure(s), 0 parse failure(s)
renan-infonacci
commented
1 year ago I'm having the same problem to revalidate the certificate, I already went back to the version mentioned above and I still couldn't validate it.
What I'm not getting is the DNS + Token to place and generate the certificate, where do I find this within Cloudflare?
themegabyte
commented
1 year ago @EDIflyer Worth checking /var/log/letsencrypt.log by doing:
less /var/log/letsencrypt/letsencrypt.loginside the docker container.
EDIflyer
commented
1 year ago Thanks @themegabyte - had a look and it seems to have a few attempts that show as pending before it returns an invalid:
2023-03-25 22:23:48,996:INFO:certbot._internal.auth_handler:Challenge failed for domain [mysubdomain.tld]
2023-03-25 22:23:48,996:INFO:certbot._internal.auth_handler:http-01 challenge for [mysubdomain.tld]
2023-03-25 22:23:48,996:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: [mysubdomain.tld]
Type: connection
Detail: 85.159.208.227: Fetching https://[mysubdomain.tld]/.well-known/acme-challenge/bbYQWve03QzcXqE8BT8ATSt-CuvNJ2kiWhFdCv5KjAI: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
2023-03-25 22:23:49,004:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-03-25 22:23:49,005:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-03-25 22:23:49,005:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-03-25 22:23:49,005:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/bbYQSve03QzcXqE5BT8ATSt-CuvNJ2kiWhFdCv5KjAI
2023-03-25 22:23:49,006:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-03-25 22:23:49,007:ERROR:certbot._internal.renewal:Failed to renew certificate npm-12 with error: Some challenges have failed.
2023-03-25 22:23:49,016:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 525, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1547, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 387, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.The weird thing is if I delete and recreate it then it seems to work OK, at least until it is due for renewal. I can provide more log file info if helpful (not sure if there are any other more relevant bits I've missed).
UPDATE: From searching open issues I see lots of others with similar problems: https://github.com/NginxProxyManager/nginx-proxy-manager/issues?q=%22The+Certificate+Authority+failed+to+download+the+temporary+challenge+files+created+by+Certbot%22+
In particular #2258 #1625 #2565 seem to confirm an issue with 'force SSL' not letting the LetsEncrypt SSL renewal through on port 80. PR #2038 seems to be a fix but hasn't been merged - @jc21 not sure if you would be able to consider that?
I've now manually gone through each of the 8 proxy hosts (thankfully not as many on this server!) and switched off 'force SSL'. When I tried to renew I got the 'another instance of certbot is already running' error (see #918), despite nothing obviously being in progress. I then ran find / -type f -name ".certbot.lock" -exec rm {} \; and then finally managed to manually renew each certificate via the SSL page on the NPM frontend. So it's great that it has worked for another 3 months, but clearly quite a hassle to have to keep doing it this way and I'd prefer to be able to leave 'force SSL' set to on.
themegabyte
commented
1 year ago Thank you for posting @EDIflyer. I had the exact same issue, Timeout during connect. I had to disable my hosts to get the auto renew to work. It worked smoothly but manually.
I manually tried to access /.well-known/acme-challenge/, and I saw that it was redirecting towards my drone CI container instead of whatever it was supposed to go to (this could be wrong way to test, however, as certbot doesn't place the files for that long to test I think...).
However, I had another version working on a separate production server and I saw no issues there... I will report back with more data if I have.
sanderlv
commented
1 year ago I may not swear! But FFS, I have this issue.
Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "mail@domain.com" --preferred-challenges "dns,http" --domains "mail.domain.com" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)I had this with 2.9.19 and still when I pulled 2.10.2
Now I cannot renew any domain anymore!
HELP is very much appreciated and needed!
I tried normal challenge and (new?) dns challenge (but not sure if I did that right since I use a *.domain.com dyn dns with Joker)
It always worked well and I also managed to create around 30 certs succesfully
HELP
Some more logging:
[4/1/2023] [5:41:06 PM] [SSL ] › ℹ info Testing http challenge for mail.domain.com
Uncaught SyntaxError: Unexpected end of JSON input
FROM
bash: line 1: 146 Trace/breakpoint trap (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js
❯ Starting backend ...
[4/1/2023] [5:41:08 PM] [Global ] › ℹ info Using Sqlite: /data/database.sqlite
[4/1/2023] [5:41:09 PM] [Migrate ] › ℹ info Current database version: none
[4/1/2023] [5:41:09 PM] [Setup ] › ℹ info Logrotate Timer initialized
[4/1/2023] [5:41:09 PM] [Setup ] › ℹ info Logrotate completed.
[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...
[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4
[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6
[4/1/2023] [5:41:09 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized
[4/1/2023] [5:41:09 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
[4/1/2023] [5:41:09 PM] [Global ] › ℹ info Backend PID 448 listening on port 3000 ...
[4/1/2023] [5:41:09 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation
Another instance of Certbot is already running.
at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
[4/1/2023] [5:43:54 PM] [SSL ] › ℹ info Revoking Let'sEncrypt certificates for Cert #29: mail.domain.com
[4/1/2023] [5:43:54 PM] [SSL ] › ℹ info Command: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-29/fullchain.pem" --delete-after-revoke ; rm -f '/etc/letsencrypt/credentials/credentials-29' || true
[4/1/2023] [5:43:55 PM] [SSL ] › ℹ info Deleted all files relating to certificate npm-29.
Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/npm-29/fullchain.pem.
[4/1/2023] [5:44:13 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2023] [5:44:18 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #39: mail.domain.com
[4/1/2023] [5:44:18 PM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "nginx@domain.com" --preferred-challenges "dns,http" --domains "mail.domain.com"
[4/1/2023] [5:44:30 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/temp/letsencrypt_39.conf
[4/1/2023] [5:44:30 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2023] [5:44:30 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "nginx@domain.com" --preferred-challenges "dns,http" --domains "mail.domain.com"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
[4/1/2023] [5:45:18 PM] [SSL ] › ℹ info Testing http challenge for mail.domain.com
Uncaught SyntaxError: Unexpected end of JSON input
FROM
bash: line 1: 448 Trace/breakpoint trap (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js
❯ Starting backend ...
[4/1/2023] [5:45:19 PM] [Global ] › ℹ info Using Sqlite: /data/database.sqlite
[4/1/2023] [5:45:20 PM] [Migrate ] › ℹ info Current database version: none
[4/1/2023] [5:45:20 PM] [Setup ] › ℹ info Logrotate Timer initialized
[4/1/2023] [5:45:20 PM] [Setup ] › ℹ info Logrotate completed.
[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...
[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4
[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6
[4/1/2023] [5:45:20 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized
[4/1/2023] [5:45:20 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[4/1/2023] [5:45:21 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
[4/1/2023] [5:45:21 PM] [Global ] › ℹ info Backend PID 1242 listening on port 3000 ...
[4/1/2023] [5:46:54 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2023] [5:46:54 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates via Joker for Cert #40: mail.domain.com
[4/1/2023] [5:46:54 PM] [SSL ] › ℹ info Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_joker_username = no
dns_joker_password = no
dns_joker_domain = domain.com' > '/etc/letsencrypt/credentials/credentials-40' && chmod 600 '/etc/letsencrypt/credentials/credentials-40' && . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-joker~=1.1.0 && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-40" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-40"
[4/1/2023] [5:46:56 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2023] [5:46:56 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-40" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-40"
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-i26wbiq9/log or re-run Certbot with -v for more details.
[4/1/2023] [5:47:07 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2023] [5:47:07 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates via Joker for Cert #41: mail.domain.com
[4/1/2023] [5:47:07 PM] [SSL ] › ℹ info Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_joker_username = no
dns_joker_password = no
dns_joker_domain = *.domain.com' > '/etc/letsencrypt/credentials/credentials-41' && chmod 600 '/etc/letsencrypt/credentials/credentials-41' && . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-joker~=1.1.0 && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-41" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-41"
[4/1/2023] [5:47:08 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2023] [5:47:08 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-41" --agree-tos --email "nginx@domain.com" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-41"
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-5s6n3w19/log or re-run Certbot with -v for more details.
[4/1/2023] [5:49:19 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation
Failed to renew certificate npm-30 with error: Some challenges have failed.
Failed to renew certificate npm-31 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-30/fullchain.pem (failure)
/etc/letsencrypt/live/npm-31/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)
at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
[4/1/2023] [5:52:45 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2023] [5:52:50 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #42: mail.domain.com
[4/1/2023] [5:52:50 PM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-42" --agree-tos --authenticator webroot --email "mail@domain.nl" --preferred-challenges "dns,http" --domains "mail.domain.com"
[4/1/2023] [5:53:05 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/temp/letsencrypt_42.conf
[4/1/2023] [5:53:05 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2023] [5:53:05 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-42" --agree-tos --authenticator webroot --email "mail@domain.nl" --preferred-challenges "dns,http" --domains "mail.domain.com"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.EDIT:
Any renewal gives me:
Any creation gives me above error...
This is a major issue
EDIflyer
commented
1 year ago @sanderlv see my post above - the workaround that did the trick for me was running the command within the container to kill off duplicate certbot instances/locks and then switching off force SSL before trying to renew the certificate. I see @jc21 has made quite a few commits recently so I'm hoping this SSL cert renewal might get fixed soon 🤞
sanderlv
commented
1 year ago I have the certificate not connected to a proxy host, just trying to create it...?
Is it also fine to reboot the container or is it still having duplicate instances?
sanderlv
commented
1 year ago I tried your command:
But no luck either...
But what's even more weird is that the console gives:
And the interface gives:
What's not ok here?
EDIflyer
commented
1 year ago Hmm, getting outside what I understand now I'm afraid! I'd have thought definitely worth a container reboot attempt given that difference in version info. I tend to just automatically make the SSL cert when creating the proxy host.
sanderlv
commented
1 year ago Rebooting does not help in getting the right version "in the container"...
sanderlv
commented
1 year ago I tend to just automatically make the SSL cert when creating the proxy host.
Thats does not work either... So frustrating... all my domains will soon expire...
sanderlv
commented
1 year ago Created a wildcard DNS via joker, that works ....
andzejsp
commented
1 year ago fresh install, 0 domains, add one, tried to add cert, fails as above...
Good thing i still havent updated my stack from 2022 last year, it works there but now on fresh install..
And i thought i messed up something.
Somebody has to look into this. Im not the only one.
If anyone has any solution please @ me.
greenfishgit22
commented
1 year ago Jesus christ.... same crap again... I had to renew ssl certificate and voila "internal error".
sanderlv
commented
1 year ago I know, it s@cks. But luckily the dns one via joker does work.
EDIflyer
commented
1 year ago I know, it s@cks. But luckily the dns one via joker does work.
Do you mean via DNS challenge? - AIUI that's only an option if your DNS provider is one of the ones listed though? (mine isn't)
sanderlv
commented
1 year ago Yes and yes and that's a pity...
greenfishgit22
commented
1 year ago Yeah thanks but i'm using duckdns and noip, not willing to change DNS provider because of this issue.
I really like nginx proxy manager but this happens way to frequently in my opinion.
sanderlv
commented
1 year ago I agree. I am just lucky at this moment...
smailpouri
commented
1 year ago same issue on Docker 4.18 macOS ventura 13.3.1 nginx 2.9.19 and 2.9.20(21,22) and 2.10.2.
Not sure what is going, been looking into Traefik
plexecutor
commented
1 year ago I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.
andzejsp
commented
1 year ago I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.
But this don't help people who don't have ducks.
plexecutor
commented
1 year ago I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.
But this don't help people who don't have ducks.
True, but there is a very large list of DNS provider plugins support by NPM. If yours is supported, I would try that method.
erzwo31
commented
1 year ago same problem for me. I can't renew or create a new certificate. probably related to this
rafalohaki
commented
1 year ago same
f2ka07
commented
1 year ago Here is a guide on how to successfully install Lets Encrypt on Nginx Proxy Manager to secure your docker containers.
ajy2
commented
1 year ago still same here
@f2ka07 in your video, it has no errors like above
greenfishgit22
commented
1 year ago This app is dead. So many ssl issues that comes out of nowhere. I went with caddy april 7th and never had any issues.
andzejsp
commented
1 year ago This app is dead. So many ssl issues that comes out of nowhere. I went with caddy april 7th and never had any issues.
Can you pm me the caddy solution? I need auto renewval
MikeTraceur
commented
1 year ago Is there any update to this bug? I am facing the same problem with the latest release? Any downgraded Version where this bug does not appear?
EDIflyer
commented
1 year ago Sadly not that I've found, I just use the workaround of switching off SSL, renewing then re-enabling. It does get a bit annoying having to do it for 16 sites every few months though!
MikeTraceur
commented
1 year ago I was currently trying the workaround because my certificates should expire july 25. But I decided to look them up before. Surprisingly it renewed them. So what is different to the state I had until yesterday? I moved from latest to 2.9.21 and under volumes I added
Since the docker container was in a different timezone than the docker host. Maybe this helps finding a solution.
andzejsp
commented
1 year ago does it work on latest tho?
rightsaidfred99
commented
1 year ago I gave up on this bug. best to freeze nginx at 2.9.14 and have been doing this for a year and auto ssl renewal works perfectly. cons, but it's unpatched and a security risk so keep it away from the internet.
Watever44
commented
1 year ago I am having the same issue. I didn't realise the problem a few weeks ago when I had to renew manually. After unraid update to 6.12. Now I am trying to get a new certificate and I can't make it work. No idea how to fix it.
Does I really need to go back ? in the docker container or unraid os ?
rightsaidfred99
commented
1 year ago Yes, it just works perfectly if you go back.
Watever44
commented
1 year ago I will try to go back. I didn't fix the certificate creation or renew, but it's weird that my reverse proxy is "working" today, without changing anything since yesterday, without the proper SSL, using the wildcard certificate probably. May be cause when I tried yesterday, cloudflare didn't publish it and it took longer than usually ? many hours ? Also, I taught the wildcard certificate would only work locally... ?
Theses are the only certificate I have. As you can see, the wildcard use cloudflare, not the others but all are working.
Matze177
commented
1 year ago Sadly not that I've found, I just use the workaround of switching off SSL, renewing then re-enabling. It does get a bit annoying having to do it for 16 sites every few months though!
Thanks for the tip, that worked for me too. But why?
EDIflyer
commented
1 year ago Sadly not that I've found, I just use the workaround of switching off SSL, renewing then re-enabling. It does get a bit annoying having to do it for 16 sites every few months though!
Thanks for the tip, that worked for me too. But why?
See my PR - https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121 - it's to do with how the Let's Encrypt ACME check is being dealt with.
Collin7
commented
1 year ago Also having an issue with renew on latest and older versions
Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation
Traceback (most recent call last):
File "/usr/bin/certbot", line 5, in
oswaldo-be
commented
1 year ago I also got the same problem and deactivating Force SSL and renewing works. Then I just activate force SSL again. But this cannot stay unrepaired
at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) [10/8/2023] [2:01:59 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [10/8/2023] [2:06:37 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)
v2.10.4
EDIflyer
commented
1 year ago @oswaldo-be did my PR above work for you? It still seems to be doing the trick on my system.
oswaldo-be
commented
1 year ago jupp, deactivating, renewing und activating works. But this here won't with "docker exec "Containername" find / -type f -name ".certbot.lock"" I get find: '/proc/tty/driver': Permission denied find: '/sys/kernel/debug': Permission denied
EDIflyer
commented
1 year ago Interesting, I've normally run it as commands directly within the container on Portainer and it worked OK, I'm guessing it must be giving higher permissions.
There's a link above to my PR that fixes the underlying issue that seems to work so might be worth a shot too?
jdelgadocr
commented
1 year ago I was also getting the "import ClientBase" error with namecheap DNS. Strangely it worked 2 hours earlier with namecheap and another provider, several domains. Fresh, latest NPM install. I got it fixed by running (in a container-attached console): pip install certbot pip install acme pip install certbot-dns-namecheap
That was all and then it worked as before/expected.
Checklist
jc21/nginx-proxy-manager:latestdocker image?Describe the bug
Recieved an email from let's encrypt I had to update my ssl certiface. Went into nginx proxy manger, cert renewal, got internal error, saw something about cerbot failure. Saw on this forum a lot of users had similar issues. Tried reverting to older versions but still the same error. Have tried to re-install/delete everything from scratch but ssl cert fails everytime. I'm not adapt at all when it comes to ssl/reverse proxy but so far nginx proxy manager was the only solution working for me a few months ago with reverse proxy. Now i'm at a total loss what to do.
Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-2" --agree-tos --authenticator webroot --email "admindfdfdf@tutanota.com" --preferred-challenges "dns,http" --domains "phofsddd.duckdns.org" Saving debug log to /var/log/letsencrypt/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Nginx Proxy Manager Version
2.9.21 2.9.20 2.9.19