SSL Internal Error on request a new SSL certificate

[DaYroXy]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug When trying to request a a new SSL Certifcate i get internal error

Nginx Proxy Manager Version v2.10.4

To Reproduce Steps to reproduce the behavior:

1. Go to Hosts
2. Click on Add Proxy Host
3. Click on SSL
4. SSL Certificate > Request a new SSL Certificate
5. Save > Internal Error

Screenshots

Operating System Ubuntu 20.04 - 64bit, running Portainer v2.19.2

Additional context Cloudflare (NO PROXY): A => dayroxy.online => ip CNAMe => * => dayroxy.online

` 2023-11-15 05:51:29,337:DEBUG:acme.client:Storing nonce: GEqhmX18EBYehAoQEeHOv-lemRWL1u8IRLnVc7o6fKR1jTTNhtU 2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:Challenge failed for domain portainer.dayroxy.online 2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:http-01 challenge for portainer.dayroxy.online 2023-11-15 05:51:29,338:DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: portainer.dayroxy.online Type: connection Detail: 87.237.52.121: Fetching http://portainer.dayroxy.online/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk: Connection reset by peer

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed.

2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Calling registered functions 2023-11-15 05:51:29,339:INFO:certbot._internal.auth_handler:Cleaning up challenges 2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk 2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up 2023-11-15 05:51:29,340:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 8, in sys.exit(main()) File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main return config.func(config, plugins) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1597, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enrollcertificate cert, chain, key, = self.obtain_certificate(domains) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2023-11-15 05:51:29,341:ERROR:certbot._internal.log:Some challenges have failed. `

[jucajuca]

you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy):

@jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/396

.

[DaYroXy]

you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy):

@jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: #396

.

Hello! thanks for the answer the error happens with or without force SSL i still get the same error, also tried what you told me

Helo,

[Gh0stExp10it]

Same error on my site. Last time I registered a certificate was on the 11. Nov. - now it's not working for a new one anymore..

[PaulNdrei]

In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error." Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result.

[DaYroXy]

In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error."

Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result.

Hello! Thanks for the replay but sadly i also tried to eve open all available ports but sadly it didnt work

[wkobiela]

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

[DaYroXy]

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

[Gh0stExp10it]

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

[DaYroXy]

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

[kpleines]

Same issue and no of the workarounds worked for me.

any suggestions?

[Gh0stExp10it]

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

[wkobiela]

Weird, but you are right. I checked my router settings - port 80 open. Used https://portchecker.co/check-it to verity - closed. Removed settings, setup port forwarding once again and verified -> port open.

NPM worked and renewed all my certificates.

[DaYroXy]

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

i think its something with certbot command

[jsbrain]

Adding network_mode: host in the docker-compose.yml fixed it for me.

[Gh0stExp10it]

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

i think its something with certbot command

Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

[DaYroXy]

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. i think its something with certbot command

Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain

[simowNgithub]

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....

But i think it belongs to my specific proxy host configurations.

I will test, but then the solution was: port 81 must be open on your router/firewall...

[Gh0stExp10it]

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....

But i think it belongs to my specific proxy host configurations.

I will test, but then the solution was: port 81 must be open on your router/firewall...

Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80.

[Gh0stExp10it]

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. i think its something with certbot command

Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain

Are you also sure that the DynDNS updates are working correctly? That would be the only explanation I can think of for it not being accessible after all the configurations.

[zemise]

network_mode: host

Adding network_mode: host in the docker-compose.yml fixed it for me.

thx, this also fixed for me, but when I try, maybe also need ensure port 80, 81, and 443 are belong to NPM

[simowNgithub]

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now.... But i think it belongs to my specific proxy host configurations. I will test, but then the solution was: port 81 must be open on your router/firewall...

Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80.

Then it is stranger than strange 🤣 Because this was the only change (open port 81). After that it works. Before only port 80 and 443 where opened and i was able to create the certificates x months before.

[EinToni]

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....

But i think it belongs to my specific proxy host configurations.

I will test, but then the solution was: port 81 must be open on your router/firewall...

I really don't undestand, but I can confirm that exposing port 81 indeed solved the issue.... I normally only have 443 exposed, now I also exposed 80 but that didn't help. After also exposing 81 I was able to renew all certs and create one new cert 😄 All without issues. Afterwards I quickly closed 80 and 81 again and everything is good 👍🏻 Although I really don't understand why exposing 81 fixed that.

[danny3n1tech]

I have tried everything listed above and still having the issue.

[Beat2er]

A little bit out of context, but the reason it failed for me was the new software firewall, which had rules based on countries (everything worked from my devices). I didn't notice since renewal is only every 60 days (I guess). Maybe check access from different hosts and packet captures, this is how I got further.

[Silversurfer79]

Adding network_mode: host in the docker-compose.yml fixed it for me.

I have been struggleing with this for weeks now and this fixed it for me.

In Portainer go to Containers -> on the Container -> click Exec Console (looks like this >_ ) -> Connect -> Paste "curl -vvvv -I -L -k --tlsv1.2 https://google.com/" and Enter in the console. If you get a failure your DNS is not resolving and this is your problem, add "network_mode: host`" to your compose file. See a copy of my compose below.

A little side note, my certs now auto renew for the first time ;-)

`version: "3.8" services: app: image: jc21/nginx-proxy-manager:latest container_name: Nginx_PMA restart: always ports:

• '81:80'
• '8443:443'
• '82:81' volumes:
• /home/pi/nginx/data:/data
• /home/pi/nginx/letsencrypt:/etc/letsencrypt depends_on:

• db

  db: image: jc21/mariadb-aria:latest container_name: Nginx_PMDB restart: always environment: MYSQL_ROOT_PASSWORD: 'Password_Here' MYSQL_DATABASE: 'Nginx_DB' MYSQL_USER: 'Nginx_Admin_Here' MYSQL_PASSWORD: 'Admin_Password_Here' volumes:

• /home/pi/nginx/data/mysql:/var/lib/mysql

  network_mode: host`

[tr1p0p]

Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no)

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:518:28)
    at maybeClose (node:internal/child_process:1105:16)
    at Socket. (node:internal/child_process:457:11)
    at Socket.emit (node:events:518:28)
    at Pipe. (node:net:337:12)

[firefox7518]

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

[Silversurfer79]

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

[Silversurfer79]

Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no)

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:518:28)
    at maybeClose (node:internal/child_process:1105:16)
    at Socket. (node:internal/child_process:457:11)
    at Socket.emit (node:events:518:28)
    at Pipe. (node:net:337:12)

Your issue you have request to many certs for the domain already, you must read the Letrs Encrypt terms, there is a limit of certs you can request per month/day I guess.

Your issue has nothing to do with ssl renewals.

[firefox7518]

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

[Gh0stExp10it]

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

I've got some problems like this back in the days. Try to backup your proxy_host configs (your-local-npm-data/nginx/proxy_host/), for example 1.conf 2.conf. After backup/copying your files, delete them and restart your npm container. It will rebuild these configs. Hope that helps.

[Silversurfer79]

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

What do your logs show?

[firefox7518]

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

I've got some problems like this back in the days. Try to backup your proxy_host configs (your-local-npm-data/nginx/proxy_host/), for example 1.conf 2.conf. After backup/copying your files, delete them and restart your npm container. It will rebuild these configs. Hope that helps.

I tried your way. Deleted the conf files, restarted the container. It did NOT recreate the files. I had to go into each config and click save and it created a new file. However, this did not solve anything. Still not able to renew certificate. I reverted also back to my last running version so that I can login. I've added so far "network_mode:host" to the container, did not resolve it. I also do not have any issues pinging outside world like google.com or dns servers. 31 Websites with multiple domains and subdomains are running fine and certs were renewing flawlessly for more than a year without an issue. And now suddenly it stopped and shows constantly "internal error". I tried to find anything in the log files but to be honest in all lets encrypt related log files they are 0bytes, emtpy. Where can I activate a more verbose log?

So many people have issues with that, not good, really not good

[istoppedcaringat30]

Just wanted to add that my fix was to allow port 80 to NPM on my router. I must have blocked it at some point.

[smibrandon]

I found a fix for my issue: allocating more storage space.

Running NPM in a Proxmox CT (no docker at all), and happened to catch that it was at 96% of its storage. I gave it some extra, and boom. Worked!

[kautsaridris]

i have sam issue, than i trace the couse, so i found my provider block my IP for incoming connection from another country to my server, connections allowed only from my country (that because my server IP coming from my Goverment) so when i opening the ticket to allowed incoming connection for All, and the "Internal Error" is fixed, so mybe this is the one from another thing to fix your problem

[jclsn]

Same issue here. I realized that this works with DuckDNS domains, but not with the one configured in my router. I grew tired of DuckDNS not working often, so I bought an official Strato domain, which I configured with DynDNS in my Fritz.Box. I could successfully create a proxy and request a certificate for the main domain, but not for the subdomains.

[TasteOfChaoZ]

Same issue. Stupid me. I disabled NAT-Rule for Port 80 farwarding to my nginx, for what evert reason ....

[timursevimli]

this resource helped me solve the problem:

https://medium.com/@life-is-short-so-enjoy-it/homelab-nginx-proxy-manager-setup-ssl-certificate-with-domain-name-in-cloudflare-dns-732af64ddc0b

[ryuzaki09]

i opened the port 80 to my NPM temporarily to request the new certificate, it worked and then I closed the port again.

[TailoredITRob]

Adding network_mode: host in the docker-compose.yml fixed it for me.

This is not an option. Using network_mode set to host will expose all ports to the open world. It also forces you to do the same with any other related containers or they can no longer communicate.

[JoeZUM]

I have the same problem. Is there any progress on this issue?

[Silversurfer79]

I have the same problem. Is there any progress on this issue?

I have come to realise that 99% of certificate renewal issues are firewall blocking ports. I would check and recheck that ports are open. I did have my ports being blocked.

My working docker compose file, good luck!

version: "3"
services:
  app:
    image: jc21/nginx-proxy-manager:latest
    container_name: Nginx_Proxy_Manager
    restart: always
    ports:
      - '82:80'           # Public HTTP Port:
      - '4433:443'        # Public HTTPS Port:
      - '81:81'           # Admin Web Port:
    networks:
      default:
        ipv4_address: 10.10.10.3
    volumes:
      - /URPATH/docker/nginxmanager/config.json:/app/config/production.json
      - /URPATH/docker/nginxmanager/data:/data
      - /URPATH/docker/nginxmanager/letsencrypt:/etc/letsencrypt
    depends_on:
      - db
  db:
    image: jc21/mariadb-aria:latest
    container_name: Nginx_Proxy_Manager_DB
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: 'xxxxxxxxxxxxxxxxx'
      MYSQL_DATABASE: 'Nginx_DB'
      MYSQL_USER: 'xxxxxxxxxxxxxxxxxx'
      MYSQL_PASSWORD: 'xxxxxxxxxxxxxxxxx'
    networks:
      default:
        ipv4_address: 10.10.10.2
    volumes:
      - /URPATH/docker/nginxmanager/sql:/var/lib/mysql

networks:
  default:
    external:
      name: dockernet default

I can renew my certs at any point now, though they auto renew 30 days before expiring.

[Wav3y]

NPM is not particularly helpful in telling you what the specific issue is other than "Internal Error" which could mean a magnitude of things so everyone should start by inspecting their container logs.

First of all, if you're using Namecheap, make sure your IP is whitelisted.

My issue probably stemmed from a manual move of my container from one host to another (I think) as it related to some broken symlinks.

I use Portainer so used that to inspect my logs but obviously there are other ways to inspect logs.

The logs showed a parse failure 0 renew failure(s), 1 parse failure(s)

I SSH'd into the container docker exec -it <container_id_or_name> /bin/bash

Double checked Certbot logs

cd /tmp/letsencrypt-log
cat letsencrypt.log

Double checked letsencrypt config.

cat /etc/letsencrypt.ini

Manually ran the renewal inside the container

certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew -v

Terminal showed this error:

Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Skipping.

So I went in and repaired the sym links as config files were not pointing to any symlinks as it should've been. Here's what I ran to repair:

cd /etc/letsencrypt/live/npm-2
rm cert.pem chain.pem fullchain.pem privkey.pem
ln -s /etc/letsencrypt/archive/npm-2/cert1.pem cert.pem
ln -s /etc/letsencrypt/archive/npm-2/chain1.pem chain.pem
ln -s /etc/letsencrypt/archive/npm-2/fullchain1.pem fullchain.pem
ln -s /etc/letsencrypt/archive/npm-2/privkey1.pem privkey.pem

Then either run renewal on NPM GUI or directly on terminal:

certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew -v

Stuck? Use ChatGPT. That's how I fixed my problem because I'm not in IT.

[flow96]

It seems that certbot mostly uses IPv6 to verify domains, therefore maybe recheck your DNS settings.

I had the same problem and found the error in my DNS settings. I originally updated the DNS entries to point to my server on IPv4 but forgot about IPv6. So after replacing the AAAA entry with the IPv6 of my server it works again 🎉

[pablomujica]

In my case using Cloudflare, updating the package in the server fixed it:

pip install --upgrade cloudflare==2.19.*

[sarequl]

In my case using Cloudflare, updating the package in the server fixed it:

pip install --upgrade cloudflare==2.19.*

It worked for me. thanks

[andsim]

h ere my issues

`2024-09-03 15:21:48,841:DEBUG:certbot._internal.main:certbot version: 2.11.0
2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-4', '--agree-tos', '--authenticator', 'webroot', '--email', 'andsim2@gmail.com', '--preferred-challenges', 'dns,http', '--domains', 'anskygrid.ca,www.anskygrid.ca']
2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-09-03 15:21:48,856:DEBUG:certbot._internal.log:Root logging level set at 30
2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7165da4951d0>
Prep: True
2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7165da4951d0> and installer None
2024-09-03 15:21:48,857:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2024-09-03 15:21:48,908:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-09-03 15:21:48,910:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-09-03 15:21:48,949:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 467, in _make_request
    self._validate_conn(conn)
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1099, in _validate_conn
    conn.connect()
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connection.py", line 653, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connection.py", line 806, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
               ^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 465, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 509, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 1075, in _create
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 793, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 491, in _make_request
    raise new_e
urllib3.exceptions.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/requests/adapters.py", line 667, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 847, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/retry.py", line 515, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1582, in certonly
    le_client = _init_le_client(config, auth, installer)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 833, in _init_le_client
    acc, acme = _determine_account(config)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 741, in _determine_account
    acc, acme = client.register(
                ^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 207, in register
    acme = acme_from_config_key(config, key)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
    directory = acme_client.ClientV2.get_directory(config.server, net)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 330, in get_directory
    return messages.Directory.from_json(net.get(url).json())
                                        ^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 705, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 647, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))
2024-09-03 15:21:48,955:ERROR:certbot._internal.log:An unexpected error occurred:
2024-09-03 15:21:48,956:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))`

[andsim]

i think is web address issues acme-v02.api.letsencrypt.org when i try in browser and get ERR_ADDRESS_INVALID

[andsim]

look at last line