Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken. The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink

[guarnacciaa]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

I have this docker container for more than a year now, it has always worked flawlessly. Rencently, my renewal process started failing and I can't find a clear root cause for it.

Nginx Proxy Manager Version v2.11.3

To Reproduce Steps to reproduce the behavior:

1. Go to 'SSL Certificates'
2. Click on 'the three dots menu'
3. Click on 'Renew Now'
4. Get Internal Error popup

Expected behavior Certificate renewal ends successfully

Operating System Ubuntu 24.04 LTS"

Additional context The logs report the following: ` [8/10/2024] [4:21:52 PM] [Certbot ] › ▶ start Installing google... [8/10/2024] [4:21:52 PM] [Global ] › ⬤ debug CMD: . /opt/certbot/bin/activate && pip install --no-cache-dir certbot-dns-google==$(certbot --version | grep -Eo '0-9+') && deactivate [8/10/2024] [4:21:57 PM] [Certbot ] › ☒ complete Installed google [8/10/2024] [4:21:57 PM] [Setup ] › ℹ info Added Certbot plugins google [8/10/2024] [4:21:57 PM] [Setup ] › ℹ info Logrotate Timer initialized [8/10/2024] [4:21:57 PM] [Global ] › ⬤ debug CMD: logrotate /etc/logrotate.d/nginx-proxy-manager [8/10/2024] [4:21:57 PM] [Setup ] › ℹ info Logrotate completed. [8/10/2024] [4:21:57 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... [8/10/2024] [4:21:57 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json [8/10/2024] [4:21:58 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 [8/10/2024] [4:21:58 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 [8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized [8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ... [8/10/2024] [4:21:58 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized [8/10/2024] [4:21:58 PM] [Global ] › ℹ info Backend PID 174 listening on port 3000 ... [8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates via Google for Cert #1: *.censored.domain [8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew [8/10/2024] [4:21:58 PM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew [8/10/2024] [4:21:58 PM] [SSL ] › ✖ error Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken. The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink Skipping. 0 renew failure(s), 1 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

[8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Completed SSL cert renew process [8/10/2024] [4:23:26 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates via Google for Cert #1: *.censored.domain [8/10/2024] [4:23:26 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew [8/10/2024] [4:23:26 PM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew [8/10/2024] [4:23:26 PM] [Express ] › ⚠ warning Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken. The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink Skipping. 0 renew failure(s), 1 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. `

[guarnacciaa]

Adding the docker compose file to show how things are exposed:

services:
  app:
    image: 'jc21/nginx-proxy-manager:github-pr-3789'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    healthcheck:
      test: ["CMD", "/bin/check-health"]
      interval: 10s
      timeout: 3s

networks:
  proxy:
    external: true

[franconianmetal]

facing same problem here. renewal fails

EDIT: see my comment here https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3920#issuecomment-2284473016

[boehamian]

Same issue here. Been going on for a lot of versions now with no work around. Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image? Yes Are you sure you're not using someone else's docker image? Yes Have you searched for similar issues (both open and closed)? Yes

Nginx Proxy Manager Version v2.11.3

To Reproduce Steps to reproduce the behavior:

Go to 'SSL Certificates' Click on 'the three dots menu' Click on 'Renew Now' Get Internal Error popup

Also tested the lets encrypt server reachability and got the following error

Expected behavior Certificate renewal ends successfully

Serve reachability test without failure.

I have checked the public DNS and internal DNS are pointing to the right IP address.

Operating System Ubuntu 24.04 LTS"

Additional context The logs report the following:

root@docker-2cbb66229267:/tmp/letsencrypt-log]# cat letsencrypt.log 2024-08-17 05:04:25,534:DEBUG:certbot._internal.main:certbot version: 2.11.0 2024-08-17 05:04:25,534:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot 2024-08-17 05:04:25,534:DEBUG:certbot._internal.main:Arguments: ['--force-renewal', '--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-7', '--preferred-challenges', 'dns,http', '--no-random-sleep-on-renew', '--disable-hook-validation'] 2024-08-17 05:04:25,534:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2024-08-17 05:04:25,546:DEBUG:certbot._internal.log:Root logging level set at 30 2024-08-17 05:04:25,547:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-7.conf 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var pref_challs=['dns-01', 'http-01'] (set by user). 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var config_dir=/etc/letsencrypt (set by user). 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var logs_dir=/tmp/letsencrypt-log (set by user). 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var work_dir=/tmp/letsencrypt-lib (set by user). 2024-08-17 05:04:25,548:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var preferred_chain=ISRG Root X1 (set by user). 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var key_type=ecdsa (set by user). 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var elliptic_curve=secp384r1 (set by user). 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user). 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var webroot_map={'webroot_path'} (set by user). 2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user). 2024-08-17 05:04:25,559:DEBUG:certbot._internal.renewal:Auto-renewal forced with --force-renewal... 2024-08-17 05:04:25,559:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None 2024-08-17 05:04:25,559:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported). Interfaces: Authenticator, Plugin Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins') Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f9f68b52590> Prep: True 2024-08-17 05:04:25,560:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f9f68b52590> and installer None 2024-08-17 05:04:25,560:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None 2024-08-17 05:04:25,648:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1745804132', new_authzr_uri=None, terms_of_service=None), 0402ec5fb0b9d47655f11d8a5e813c1f, Meta(creation_dt=datetime.datetime(2024, 5, 25, 10, 49, 4, tzinfo=), creation_host='e807a6f371f8', register_to_eff=None))> 2024-08-17 05:04:25,649:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. 2024-08-17 05:04:25,650:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 2024-08-17 05:04:26,524:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 746 2024-08-17 05:04:26,526:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 17 Aug 2024 05:04:26 GMT Content-Type: application/json Content-Length: 746 Connection: keep-alive Cache-Control: public, max-age=0, no-cache X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert", "s41584iLwsw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417" } 2024-08-17 05:04:26,529:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for nextcloud.outbacknerd.party 2024-08-17 05:04:26,539:DEBUG:acme.client:Requesting fresh nonce 2024-08-17 05:04:26,539:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce. 2024-08-17 05:04:26,827:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0 2024-08-17 05:04:26,829:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 17 Aug 2024 05:04:26 GMT Connection: keep-alive Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: u9f3N-xzQt_e5_7YwyFasfXQ0DIU6yHoHSEAiKqlKxbXn8cJSyU X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

2024-08-17 05:04:26,830:DEBUG:acme.client:Storing nonce: u9f3N-xzQt_e5_7YwyFasfXQ0DIU6yHoHSEAiKqlKxbXn8cJSyU 2024-08-17 05:04:26,832:DEBUG:acme.client:JWS payload: b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "nextcloud.outbacknerd.party"\n }\n ]\n}' 2024-08-17 05:04:26,848:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14elF0X2U1XzdZd3lGYXNmWFEwRElVNnlIb0hTRUFpS3FsS3hiWG44Y0pTeVUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9", "signature": "vzMrfDKcBst1a-pKGyFmC7IlN3Lvym0g21Z7rGT-v1VkummeNuRn5gMLvHFLs3W2EsFdc9Ofrq9mOBPjdV92adnvQPbhFXBbQCnEeHaQTu4IzU-X-Uj6rC24hnUls1xILqN6LjtOSjvTVOzXPgr03ZnR851T4J5qi0hM23S080d8TIfn4NkIurQKX35NcnE5O5KmR1ppoparOVygE5KiX3L0QVqvOvCoagbeJrvjqk485lgMuhHo52jOVvjYuLkBLlb7T5cNVtZMyQVnUDYZKfRWooyU4wXJwP21xnVCtGQBjlaxduD5ulYU1YozyfxVJphjHPE9tNo9Ht1aUFY19Q", "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm5leHRjbG91ZC5vdXRiYWNrbmVyZC5wYXJ0eSIKICAgIH0KICBdCn0" } 2024-08-17 05:04:27,312:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 353 2024-08-17 05:04:27,312:DEBUG:acme.client:Received response: HTTP 201 Server: nginx Date: Sat, 17 Aug 2024 05:04:27 GMT Content-Type: application/json Content-Length: 353 Connection: keep-alive Boulder-Requester: 1745804132 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Location: https://acme-v02.api.letsencrypt.org/acme/order/1745804132/296961663766 Replay-Nonce: u9f3N-xzJkPYZqzvHxpOyxp6h31C-XkIoDervsdrnt1TZTXVdJ8 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "status": "pending", "expires": "2024-08-24T05:04:27Z", "identifiers": [ { "type": "dns", "value": "nextcloud.outbacknerd.party" } ], "authorizations": [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636" ], "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1745804132/296961663766" } 2024-08-17 05:04:27,312:DEBUG:acme.client:Storing nonce: u9f3N-xzJkPYZqzvHxpOyxp6h31C-XkIoDervsdrnt1TZTXVdJ8 2024-08-17 05:04:27,313:DEBUG:acme.client:JWS payload: b'' 2024-08-17 05:04:27,314:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14ekprUFlacXp2SHhwT3l4cDZoMzFDLVhrSW9EZXJ2c2RybnQxVFpUWFZkSjgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9", "signature": "tqctybVpHOZvqziSrjS1Dj2WJbljcJfpajo_X5EZ0Ag_nv_SaFifQcMkc6YrH-RPD5m7IAkGkYuxlK_l9x401rFc4s1ShmFyVuF2rPjMz6lYnc5FLVHmVAnQpJg9wjJuz2L7bnSpLK9SWbKUj5g-SKzx20X0_yLIS1r238r_xgGXBMsTFsDg6zg9FPR2VWJ6ByHzxb71kXHuD5fi4ANbhbeL9Xs9dcFVE9chfTaTggmd0e_z-DfWNbaaKqHmsXozeuAaWVwX7BjX1pYTUy8wEYB-7kG1HX-Bt5aeJLdOLei9fYB1UCVyBcZQbBjHfrmx5aDMxmYHFJ-ArB4BVfjyFQ", "payload": "" } 2024-08-17 05:04:27,612:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 811 2024-08-17 05:04:27,613:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 17 Aug 2024 05:04:27 GMT Content-Type: application/json Content-Length: 811 Connection: keep-alive Boulder-Requester: 1745804132 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: u9f3N-xzwgC17G2VnC87Wffg1zgOmscWBhPMjjHkJ985VMHyhDU X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "identifier": { "type": "dns", "value": "nextcloud.outbacknerd.party" }, "status": "pending", "expires": "2024-08-24T05:04:27Z", "challenges": [ { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" }, { "type": "dns-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/8dlNhg", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" }, { "type": "tls-alpn-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/7_z38w", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" } ] } 2024-08-17 05:04:27,613:DEBUG:acme.client:Storing nonce: u9f3N-xzwgC17G2VnC87Wffg1zgOmscWBhPMjjHkJ985VMHyhDU 2024-08-17 05:04:27,614:INFO:certbot._internal.auth_handler:Performing the following challenges: 2024-08-17 05:04:27,614:INFO:certbot._internal.auth_handler:http-01 challenge for nextcloud.outbacknerd.party 2024-08-17 05:04:27,615:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains. 2024-08-17 05:04:27,615:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge 2024-08-17 05:04:27,617:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac 2024-08-17 05:04:27,618:DEBUG:acme.client:JWS payload: b'{}' 2024-08-17 05:04:27,627:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14endnQzE3RzJWbkM4N1dmZmcxemdPbXNjV0JoUE1qakhrSjk4NVZNSHloRFUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzM5MTMxNDY5OTYzNi9IUWpFZlEifQ", "signature": "yRPTY6yD7BGCOExSV7-Vt02RUup6K5lfPdPArO0pYGadjHZ6y0YCOLdLqXvAbLEJI12deF5-uJXcVbdZ_EAEEda6jP2CP1lg9Aztqw8neW1tnYgs_ysonapXSt020E7VwvONQ86LRNqvSzgQqT1eVGkl2te_r0axvOBK1q1KTeGOy0RiY2c0RDKYgIi6PNkGNSz1VOepy5Kmh2JhV5rOmqNwJ7xWUbZJ5xdLlzpVDC5t-8zE2mnmk649Y1umBrOdY6h4wxahvtciMQmZ1QsNiXUbcx75nGaMNPyNYTZoE2dJQiDKXQl4MroWBjuU82JtjaMOamnhJyeMnPgYuYJvcA", "payload": "e30" } 2024-08-17 05:04:27,921:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/391314699636/HQjEfQ HTTP/1.1" 200 187 2024-08-17 05:04:27,921:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 17 Aug 2024 05:04:27 GMT Content-Type: application/json Content-Length: 187 Connection: keep-alive Boulder-Requester: 1745804132 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636;rel="up" Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ Replay-Nonce: u9f3N-xzv6Rv4ITaymUbK7ZT-mb11YxSlHSIz42ASE7fOGuD2ks X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" } 2024-08-17 05:04:27,921:DEBUG:acme.client:Storing nonce: u9f3N-xzv6Rv4ITaymUbK7ZT-mb11YxSlHSIz42ASE7fOGuD2ks 2024-08-17 05:04:27,922:INFO:certbot._internal.auth_handler:Waiting for verification... 2024-08-17 05:04:28,922:DEBUG:acme.client:JWS payload: b'' 2024-08-17 05:04:28,924:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14enY2UnY0SVRheW1VYks3WlQtbWIxMVl4U2xIU0l6NDJBU0U3Zk9HdUQya3MiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9", "signature": "0CQvQhiB3N9Gbww59AohtLV5nkgnsSpBAV-z0tYRS-B3ZfcAafo3VOzk-fjTRJsBxN0XaEe05xjCHEkydbren1fjNy5sod_gds3p0RTwcNf5l_aUo6XFKv77WZiYkQb0t6S61Y1iV7TAS0MZr6SroIJGhUT-SYw2urETinXKP14-gO9hKdWj0fHOg2jiT-NDVCQzkxcRdc-tiv2zHh3H8KmeIT8Uv_qp8kDdES8Yj59EWDlETbDP8bz6KDcV-sqipWxOp0j0bXhKFeIudEFMpUJ2WgdzXILm7oyxH6bkgKBSRu8HDezOpcoVkLC9-F5B5z7P_vc1e7BURdKJABcg", "payload": "" } 2024-08-17 05:04:29,230:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 811 2024-08-17 05:04:29,232:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 17 Aug 2024 05:04:29 GMT Content-Type: application/json Content-Length: 811 Connection: keep-alive Boulder-Requester: 1745804132 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: u9f3N-xzjFBOmMiWd-b6spfNxQnMiGvZRG4xoeQFRv-tD8MLHdg X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "identifier": { "type": "dns", "value": "nextcloud.outbacknerd.party" }, "status": "pending", "expires": "2024-08-24T05:04:27Z", "challenges": [ { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" }, { "type": "dns-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/8dlNhg", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" }, { "type": "tls-alpn-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/7_z38w", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" } ] } 2024-08-17 05:04:29,232:DEBUG:acme.client:Storing nonce: u9f3N-xzjFBOmMiWd-b6spfNxQnMiGvZRG4xoeQFRv-tD8MLHdg 2024-08-17 05:04:32,234:DEBUG:acme.client:JWS payload: b'' 2024-08-17 05:04:32,248:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14empGQk9tTWlXZC1iNnNwZk54UW5NaUd2WlJHNHhvZVFGUnYtdEQ4TUxIZGciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9", "signature": "Cv5wAZyJM85hcVMu1zR8KfMYTPR6yMX_1GCCPnCzsVycU-GEh0OZSGGDl5COfiLUUAXnBJk-p6azmLwq3h2lsdRca211PqQeHjY3rqJWHZs1n71eKxovuHzZ9VqeKKUHGhrRmeQ-fK6_4YhywG6kVFgr-_HvRxZlT0MW5kfzBnoPVTvqvfUjdPn-Pg53s39S2PNT4eaEtwi19I0GqAVOrkq-0FTmkNbP8fqedobnMAGU90SJAlbpXLG3unHQ_DsfjcJieYt9-Lxo7WUr3cF3SgGzpKo3d9cDVERvI679GA2latA-GxuMzh2llkSOYtpen8elMYqVTxDXRMxEmvGUVQ", "payload": "" } 2024-08-17 05:04:32,595:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 811 2024-08-17 05:04:32,598:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 17 Aug 2024 05:04:32 GMT Content-Type: application/json Content-Length: 811 Connection: keep-alive Boulder-Requester: 1745804132 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: u9f3N-xz5VLwwzt3ulCuByRWiP9v6lE7KMXVvAfSwzMkkRVgDCI X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "identifier": { "type": "dns", "value": "nextcloud.outbacknerd.party" }, "status": "pending", "expires": "2024-08-24T05:04:27Z", "challenges": [ { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" }, { "type": "dns-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/8dlNhg", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" }, { "type": "tls-alpn-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/7_z38w", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" } ] } 2024-08-17 05:04:32,598:DEBUG:acme.client:Storing nonce: u9f3N-xz5VLwwzt3ulCuByRWiP9v6lE7KMXVvAfSwzMkkRVgDCI 2024-08-17 05:04:35,601:DEBUG:acme.client:JWS payload: b'' 2024-08-17 05:04:35,607:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14ejVWTHd3enQzdWxDdUJ5UldpUDl2NmxFN0tNWFZ2QWZTd3pNa2tSVmdEQ0kiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9", "signature": "dgzXSh7wKFyv2MbGy7jTbLR-k-il5BgcXteaUf35cnml0wNW44q_lrY8RzyCoQ2hgjE8fQu78UNShC9Eds48PqHzByw5x857qlAZ_uC27Aplch9as_xo9kPt__dZ1pfvcYXv6vNJVa1W2PDqt4X2ZbkfFa9_6v9ZjzPKn4TGwPogSXwMtPtPq8BdIqnfXba2kFPmLfliacQi3_qrvikQ4DYsxOB1l5_VZIBXGI1PVywoNfNjKltIvvMaZdpa6-UrK_GXR0erb_P4cFCbz06xXQanyjEiJ9sbdTnlRLpSVepd1NgNak5xm1LTL4v5x1K56MU04UQ3ooX37Lx2EXTdrQ", "payload": "" } 2024-08-17 05:04:35,899:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 811 2024-08-17 05:04:35,902:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 17 Aug 2024 05:04:35 GMT Content-Type: application/json Content-Length: 811 Connection: keep-alive Boulder-Requester: 1745804132 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: Hj5k7jKgqNGQF2FgaX1aHsx8_eFbABzkTA_sRu7D5rJ1ui2qt78 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "identifier": { "type": "dns", "value": "nextcloud.outbacknerd.party" }, "status": "pending", "expires": "2024-08-24T05:04:27Z", "challenges": [ { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" }, { "type": "dns-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/8dlNhg", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" }, { "type": "tls-alpn-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/7_z38w", "status": "pending", "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac" } ] } 2024-08-17 05:04:35,903:DEBUG:acme.client:Storing nonce: Hj5k7jKgqNGQF2FgaX1aHsx8_eFbABzkTA_sRu7D5rJ1ui2qt78 2024-08-17 05:04:38,905:DEBUG:acme.client:JWS payload: b'' 2024-08-17 05:04:38,912:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJIajVrN2pLZ3FOR1FGMkZnYVgxYUhzeDhfZUZiQUJ6a1RBX3NSdTdENXJKMXVpMnF0NzgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9", "signature": "g0GiqBkrXVEZGgvuanjr0Xq23btS52lS_vasEhx4i9a9UWofLx7bSLYJ6-bZQVDe5VySvvE5xk3gFKnrHF7KYPdMqdzXYjd0o2hZFwlnDYBuxFdbbcsmkh5MwCDOpHnMOoDZQ4QDsTE3Z0C719GmrR7-8AWqSvQfqwRZJQzdh4O8XtbTIkzUrj_293FDwe-Y-qZwWMRk8pf859lrYAFGZqLZv89anvKdJftrrNUs0uBH6WQGTDeShO3iFyeWWx7_GlOQpvyifDPj28-JoTklsYdbO8D82B5PixTUfdSNEUVoS-s5m5qi_IWPUvcFWmzmHwI_cK-dyD0_JHbf5zc2ZQ", "payload": "" } 2024-08-17 05:04:39,205:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 1100 2024-08-17 05:04:39,208:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 17 Aug 2024 05:04:39 GMT Content-Type: application/json Content-Length: 1100 Connection: keep-alive Boulder-Requester: 1745804132 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: Hj5k7jKgKC4yvghfzBCnrwHT1t80uWw9-ItjNSFSyLbf989ZFbs X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "identifier": { "type": "dns", "value": "nextcloud.outbacknerd.party" }, "status": "invalid", "expires": "2024-08-24T05:04:27Z", "challenges": [ { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ", "status": "invalid", "validated": "2024-08-17T05:04:27Z", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "144.6.165.0: Fetching http://nextcloud.outbacknerd.party/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac: Timeout during connect (likely firewall problem)", "status": 400 }, "token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac", "validationRecord": [ { "url": "http://nextcloud.outbacknerd.party/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac", "hostname": "nextcloud.outbacknerd.party", "port": "80", "addressesResolved": [ "144.6.165.0" ], "addressUsed": "144.6.165.0" } ] } ] } 2024-08-17 05:04:39,209:DEBUG:acme.client:Storing nonce: Hj5k7jKgKC4yvghfzBCnrwHT1t80uWw9-ItjNSFSyLbf989ZFbs 2024-08-17 05:04:39,212:INFO:certbot._internal.auth_handler:Challenge failed for domain nextcloud.outbacknerd.party 2024-08-17 05:04:39,212:INFO:certbot._internal.auth_handler:http-01 challenge for nextcloud.outbacknerd.party 2024-08-17 05:04:39,213:DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: nextcloud.outbacknerd.party Type: connection Detail: 144.6.165.0: Fetching http://nextcloud.outbacknerd.party/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2024-08-17 05:04:39,218:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed.

2024-08-17 05:04:39,218:DEBUG:certbot._internal.error_handler:Calling registered functions 2024-08-17 05:04:39,219:INFO:certbot._internal.auth_handler:Cleaning up challenges 2024-08-17 05:04:39,219:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac 2024-08-17 05:04:39,220:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up 2024-08-17 05:04:39,221:ERROR:certbot._internal.renewal:Failed to renew certificate npm-7 with error: Some challenges have failed. 2024-08-17 05:04:39,224:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1550, in renew_cert renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert new_cert, new_chain, newkey, = le_client.obtain_certificate(domains, new_key) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed.

2024-08-17 05:04:39,227:DEBUG:certbot._internal.display.obj:Notifying user:

---

2024-08-17 05:04:39,227:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed: 2024-08-17 05:04:39,227:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/npm-7/fullchain.pem (failure) 2024-08-17 05:04:39,227:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2024-08-17 05:04:39,227:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/certbot/bin/certbot", line 8, in sys.exit(main()) ^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main return config.func(config, plugins) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1642, in renew renewed_domains, failed_domains = renewal.handle_renewal_request(config) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request raise errors.Error( certbot.errors.Error: 1 renew failure(s), 0 parse failure(s) 2024-08-17 05:04:39,228:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s) [root@docker-2cbb66229267:/tmp/letsencrypt-log]# ^C [root@docker-2cbb66229267:/tmp/letsencrypt-log]#

@jc21

[souravsk]

Did anyone solved this error

[excel0n]

Well, I spent 4 days troubleshooting this, and then figured out I had restricted the region of my router to only accept traffic from the US. As soon as I opened it up, I was able to renew my certificates.

[AlfaJackal]

This is the solution and it makes sense. What doesn't make sense is that my router settings have been unchanged for ages and my last certificate renewals went through.

Second solution is a DNS challenge with a wildcard cert: https://medium.com/@martin.hodges/adding-a-wildcard-lets-encrypt-certificate-to-your-server-without-a-web-server-2e86e4e292ab