search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
23.47k stars 2.72k forks source link

Letsencrypt certificate renewing failure when using access list on proxy host #3539

Open mehdilauters opened 9 months ago

mehdilauters commented 9 months ago

Describe the bug When setting up a proxy host with a control access list, certbot gets a 401 error on its challenge

Version 2.11.1 (aec3020) 2024-01-21 11:23:57 UTC, OpenResty 1.21.4.3, debian 12 (bookworm), Certbot certbot 2.8.0
Base: debian:bookworm-slim, linux/amd64
Certbot: nginxproxymanager/nginx-full:latest, linux/amd64
Node: nginxproxymanager/nginx-full:certbot, linux/amd64
                                                          certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-5" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validationncrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-5" --pr
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-5.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for DOMAIN

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: DOMAIN
  Type:   unauthorized
  Detail: IP: Invalid response from http://DOMAIN/.well-known/acme-challenge/SECRET: 401

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate npm-5 with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-5/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

When temporay disabling ACL on this host, the renewing works as expected

Nginx Proxy Manager Version v2.9.11

To Reproduce Steps to reproduce the behavior:

Operating System Docker on debian

Thank you for your work

github-actions[bot] commented 3 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1: