NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
22.73k stars 2.64k forks source link

Internal Error trying to renew cert #396

Open AnonJervis opened 4 years ago

AnonJervis commented 4 years ago

I was trying to renew my cert running version 2.2.1 and the following error popped up:

[5/4/2020] [10:01:54 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #1: mywebite.com,
[5/4/2020] [10:01:55 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-1" --preferred-challenges "dns,http" --disable-hook-validation ,
Saving debug log to /var/log/letsencrypt/letsencrypt.log,
No certificate found with name npm-1 (expected /etc/letsencrypt/renewal/npm-1.conf).

I tried restarting the container to renew again and the log shows:

),
[5/4/2020] [10:00:15 PM] [SSL      ] › ✖  error     Certificate is not valid (Command failed: openssl x509 -in /etc/letsencrypt/live/npm-1/fullchain.pem -subject -noout,
140647724621128:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:,
unable to load certificate,
140647724621128:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/letsencrypt/live/npm-1/fullchain.pem','r'),
Can't open /etc/letsencrypt/live/npm-1/fullchain.pem for reading, No such file or directory,
[5/4/2020] [10:00:15 PM] [SSL      ] › ℹ  info      Renew Complete,
[5/4/2020] [10:00:14 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized,
[5/4/2020] [10:00:14 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized,
[5/4/2020] [10:00:15 PM] [Nginx    ] › ℹ  info      Reloading Nginx,
[5/4/2020] [10:00:14 PM] [Global   ] › ℹ  info      Backend PID 201 listening on port 3000 ...,
[5/4/2020] [10:00:14 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...,
[5/4/2020] [10:00:14 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6,
[5/4/2020] [10:00:13 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json,
[5/4/2020] [10:00:14 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4,
[5/4/2020] [10:00:13 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...,
[5/4/2020] [10:00:12 PM] [Migrate  ] › ℹ  info      Current database version: 20200410143839,
❯ Enabling IPV6 in hosts: /data/nginx,
  ❯ /etc/nginx/conf.d/production.conf,
  ❯ /etc/nginx/conf.d/default.conf,
  ❯ /etc/nginx/conf.d/include/resolvers.conf,
  ❯ /etc/nginx/conf.d/include/ip_ranges.conf,
  ❯ /etc/nginx/conf.d/include/proxy.conf,
  ❯ /etc/nginx/conf.d/include/block-exploits.conf,
  ❯ /etc/nginx/conf.d/include/assets.conf,
  ❯ /etc/nginx/conf.d/include/force-ssl.conf,
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf,
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf,
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d,
[services.d] done.,
[services.d] starting services,
[cont-init.d] done.,
[cont-init.d] executing container initialization scripts...,
[fix-attrs.d] done.,
[fix-attrs.d] applying ownership & permissions fixes...,
[s6-init] ensuring user provided files have correct perms...exited 0.,[s6-init] making user provided files available at /var/run/s6/etc...exited 0.

I decided to update to latest and the problem persists, so I completely deleted my npm container and it's data and start a whole new instance. However, I still cannot renew and now my SSL cert expired the moment I tried registering. This is not my only webserver trying to renew SSL and its happening to my other ones as well. I've tried creating with sub.subdomain.duckdns.org and it registered fine. Here is my log after starting everything fresh:

[cont-init.d] done.,
[services.d] starting services,
[services.d] done.,
Generating dummy SSL certificate...,
Generating a RSA private key,
...............................+++++,
............+++++,
writing new private key to '/data/nginx/dummykey.pem',
-----,
Complete,
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d,
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf,
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf,
  ❯ /etc/nginx/conf.d/include/force-ssl.conf,
  ❯ /etc/nginx/conf.d/include/assets.conf,
  ❯ /etc/nginx/conf.d/include/block-exploits.conf,
  ❯ /etc/nginx/conf.d/include/proxy.conf,
  ❯ /etc/nginx/conf.d/include/ip_ranges.conf,
  ❯ /etc/nginx/conf.d/include/resolvers.conf,
  ❯ /etc/nginx/conf.d/default.conf,
  ❯ /etc/nginx/conf.d/production.conf,
❯ Enabling IPV6 in hosts: /data/nginx,
[5/4/2020] [9:50:10 PM] [Global   ] › ✖  error     connect ECONNREFUSED xxx.xxx.xx.x3306,
[5/4/2020] [9:50:11 PM] [Global   ] › ✖  error     connect ECONNREFUSED xxx.xxx.xx.x3306,
[5/4/2020] [9:50:12 PM] [Global   ] › ✖  error     connect ECONNREFUSED xxx.xxx.xx.x3306,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      Current database version: none,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] auth Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] user Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] user_permission Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] proxy_host Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] redirection_host Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] dead_host Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] stream Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] access_list Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] certificate Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] access_list_auth Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [initial-schema] audit_log Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [websockets] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [websockets] proxy_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [forward_host] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [forward_host] proxy_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [http2_support] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [http2_support] proxy_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [http2_support] redirection_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [http2_support] dead_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [forward_scheme] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [forward_scheme] proxy_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [disabled] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [disabled] proxy_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [disabled] redirection_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [disabled] dead_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [disabled] stream Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [custom_locations] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [custom_locations] proxy_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [hsts] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [hsts] proxy_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [hsts] redirection_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [hsts] dead_host Table altered,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [settings] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [settings] setting Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [settings] Default settings added,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [access_list_client] Migrating Up...,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [access_list_client] access_list_client Table created,
[5/4/2020] [9:50:13 PM] [Migrate  ] › ℹ  info      [access_list_client] access_list Table altered,
[5/4/2020] [9:50:13 PM] [Setup    ] › ℹ  info      Creating a new JWT key pair...,
[5/4/2020] [9:50:22 PM] [Setup    ] › ℹ  info      Wrote JWT key pair to config file: /app/config/production.json,
[5/4/2020] [9:50:22 PM] [Setup    ] › ⚠  warning   Restarting interface to apply new configuration,
[5/4/2020] [9:50:24 PM] [Migrate  ] › ℹ  info      Current database version: 20200410143839,
[5/4/2020] [9:50:24 PM] [Setup    ] › ℹ  info      Creating a new user: admin@example.com with password: changeme,
[5/4/2020] [9:50:26 PM] [Setup    ] › ℹ  info      Initial setup completed,
[5/4/2020] [9:50:26 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...,
[5/4/2020] [9:50:26 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json,
[5/4/2020] [9:50:26 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4,
[5/4/2020] [9:50:26 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6,
[5/4/2020] [9:50:26 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized,
[5/4/2020] [9:50:26 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...,
[5/4/2020] [9:50:26 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized,
[5/4/2020] [9:50:26 PM] [Global   ] › ℹ  info      Backend PID 269 listening on port 3000 ...,
[5/4/2020] [9:50:27 PM] [Nginx    ] › ℹ  info      Reloading Nginx,
[5/4/2020] [9:50:27 PM] [SSL      ] › ℹ  info      Renew Complete,
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0,
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0,
QueryBuilder#omit is deprecated. This method will be removed in version 3.0,
[5/4/2020] [9:51:42 PM] [Nginx    ] › ℹ  info      Reloading Nginx,
[5/4/2020] [9:51:42 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #1: mywebite.com,
[5/4/2020] [9:51:46 PM] [Nginx    ] › ℹ  info      Reloading Nginx,
[5/4/2020] [9:51:46 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-1" --agree-tos --email "email.com" --preferred-challenges "dns,http" --webroot --domains "mywebite.com" ,
Saving debug log to /var/log/letsencrypt/letsencrypt.log,
Plugins selected: Authenticator webroot, Installer None,
Obtaining a new certificate,
Performing the following challenges:,
http-01 challenge for mywebite.com,
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.,
Waiting for verification...,
Challenge failed for domain mywebite.com,
http-01 challenge for mywebite.com,
Cleaning up challenges,
Some challenges have failed.,
,

Could this be possible bug in the latest update? Could it be my domain has already been registered with let's encrypted before, I cannot re-register a new one when I start a new container?

kmanwar89 commented 1 year ago

+1 as someone else experiencing this error - I've been flooded with renewal emails from LetsEncrypt, and it seems the certs don't auto renew...

Fortunately, it was only 2 or 3 certs so I manually deleted them and re-requested them without issues. Is there any workaround identified?

The logs I get are the below, and seem to be continuous:

npm  | 2023-01-27T21:31:34.074189905Z 
npm  | 2023-01-27T21:31:34.074194695Z     at ChildProcess.exithandler (node:child_process:402:12)
npm  | 2023-01-27T21:31:34.074199735Z     at ChildProcess.emit (node:events:513:28)
npm  | 2023-01-27T21:31:34.074204645Z     at maybeClose (node:internal/child_process:1100:16)
npm  | 2023-01-27T21:31:34.074209645Z     at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
npm  | 2023-01-27T22:31:32.252441362Z [1/27/2023] [10:31:32 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
npm  | 2023-01-27T22:31:32.261066175Z [1/27/2023] [10:31:32 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
npm  | 2023-01-27T22:31:32.261095964Z [1/27/2023] [10:31:32 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
npm  | 2023-01-27T22:31:32.616221690Z [1/27/2023] [10:31:32 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
npm  | 2023-01-27T22:31:32.786813548Z [1/27/2023] [10:31:32 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
npm  | 2023-01-27T22:31:33.083437363Z [1/27/2023] [10:31:33 PM] [Nginx    ] › ℹ  info      Reloading Nginx
npm  | 2023-01-27T22:31:33.749887794Z [1/27/2023] [10:31:33 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
npm  | 2023-01-27T22:31:33.749917303Z Renewal configuration file /etc/letsencrypt/renewal/npm-14.conf is broken.
npm  | 2023-01-27T22:31:33.749922373Z The error was: expected /etc/letsencrypt/live/npm-14/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.749926401Z Skipping.
npm  | 2023-01-27T22:31:33.749930219Z Renewal configuration file /etc/letsencrypt/renewal/npm-16.conf is broken.
npm  | 2023-01-27T22:31:33.749934127Z The error was: expected /etc/letsencrypt/live/npm-16/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.749937964Z Skipping.
npm  | 2023-01-27T22:31:33.749941702Z Renewal configuration file /etc/letsencrypt/renewal/npm-19.conf is broken.
npm  | 2023-01-27T22:31:33.749945519Z The error was: expected /etc/letsencrypt/live/npm-19/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.749949327Z Skipping.
npm  | 2023-01-27T22:31:33.749952954Z Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
npm  | 2023-01-27T22:31:33.749956752Z The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.749973365Z Skipping.
npm  | 2023-01-27T22:31:33.749977202Z Renewal configuration file /etc/letsencrypt/renewal/npm-20.conf is broken.
npm  | 2023-01-27T22:31:33.749980960Z The error was: expected /etc/letsencrypt/live/npm-20/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.749984868Z Skipping.
npm  | 2023-01-27T22:31:33.749988625Z Renewal configuration file /etc/letsencrypt/renewal/npm-21.conf is broken.
npm  | 2023-01-27T22:31:33.749992433Z The error was: expected /etc/letsencrypt/live/npm-21/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.749996200Z Skipping.
npm  | 2023-01-27T22:31:33.749999838Z Renewal configuration file /etc/letsencrypt/renewal/npm-23.conf is broken.
npm  | 2023-01-27T22:31:33.750003595Z The error was: expected /etc/letsencrypt/live/npm-23/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750007373Z Skipping.
npm  | 2023-01-27T22:31:33.750011000Z Renewal configuration file /etc/letsencrypt/renewal/npm-25.conf is broken.
npm  | 2023-01-27T22:31:33.750014857Z The error was: expected /etc/letsencrypt/live/npm-25/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750018675Z Skipping.
npm  | 2023-01-27T22:31:33.750022252Z Renewal configuration file /etc/letsencrypt/renewal/npm-28.conf is broken.
npm  | 2023-01-27T22:31:33.750026020Z The error was: expected /etc/letsencrypt/live/npm-28/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750029827Z Skipping.
npm  | 2023-01-27T22:31:33.750033404Z Renewal configuration file /etc/letsencrypt/renewal/npm-29.conf is broken.
npm  | 2023-01-27T22:31:33.750037182Z The error was: expected /etc/letsencrypt/live/npm-29/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750040959Z Skipping.
npm  | 2023-01-27T22:31:33.750044577Z Renewal configuration file /etc/letsencrypt/renewal/npm-30.conf is broken.
npm  | 2023-01-27T22:31:33.750048374Z The error was: expected /etc/letsencrypt/live/npm-30/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750052172Z Skipping.
npm  | 2023-01-27T22:31:33.750056761Z Renewal configuration file /etc/letsencrypt/renewal/npm-31.conf is broken.
npm  | 2023-01-27T22:31:33.750060629Z The error was: expected /etc/letsencrypt/live/npm-31/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750064436Z Skipping.
npm  | 2023-01-27T22:31:33.750068003Z Renewal configuration file /etc/letsencrypt/renewal/npm-32.conf is broken.
npm  | 2023-01-27T22:31:33.750071761Z The error was: expected /etc/letsencrypt/live/npm-32/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750075599Z Skipping.
npm  | 2023-01-27T22:31:33.750079156Z Renewal configuration file /etc/letsencrypt/renewal/npm-33.conf is broken.
npm  | 2023-01-27T22:31:33.750082933Z The error was: expected /etc/letsencrypt/live/npm-33/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750086721Z Skipping.
npm  | 2023-01-27T22:31:33.750090298Z Renewal configuration file /etc/letsencrypt/renewal/npm-34.conf is broken.
npm  | 2023-01-27T22:31:33.750094055Z The error was: expected /etc/letsencrypt/live/npm-34/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750103775Z Skipping.
npm  | 2023-01-27T22:31:33.750107612Z Renewal configuration file /etc/letsencrypt/renewal/npm-35.conf is broken.
npm  | 2023-01-27T22:31:33.750111410Z The error was: expected /etc/letsencrypt/live/npm-35/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750115749Z Skipping.
npm  | 2023-01-27T22:31:33.750123574Z Renewal configuration file /etc/letsencrypt/renewal/npm-36.conf is broken.
npm  | 2023-01-27T22:31:33.750128795Z The error was: expected /etc/letsencrypt/live/npm-36/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750133835Z Skipping.
npm  | 2023-01-27T22:31:33.750138564Z Renewal configuration file /etc/letsencrypt/renewal/npm-39.conf is broken.
npm  | 2023-01-27T22:31:33.750143584Z The error was: expected /etc/letsencrypt/live/npm-39/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750148634Z Skipping.
npm  | 2023-01-27T22:31:33.750153424Z Renewal configuration file /etc/letsencrypt/renewal/npm-40.conf is broken.
npm  | 2023-01-27T22:31:33.750159035Z The error was: expected /etc/letsencrypt/live/npm-40/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750164726Z Skipping.
npm  | 2023-01-27T22:31:33.750169586Z Renewal configuration file /etc/letsencrypt/renewal/npm-42.conf is broken.
npm  | 2023-01-27T22:31:33.750175417Z The error was: expected /etc/letsencrypt/live/npm-42/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750180748Z Skipping.
npm  | 2023-01-27T22:31:33.750185498Z Renewal configuration file /etc/letsencrypt/renewal/npm-43.conf is broken.
npm  | 2023-01-27T22:31:33.750190498Z The error was: expected /etc/letsencrypt/live/npm-43/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750195568Z Skipping.
npm  | 2023-01-27T22:31:33.750200317Z Renewal configuration file /etc/letsencrypt/renewal/npm-44.conf is broken.
npm  | 2023-01-27T22:31:33.750205337Z The error was: expected /etc/letsencrypt/live/npm-44/cert.pem to be a symlink
npm  | 2023-01-27T22:31:33.750210387Z Skipping.
npm  | 2023-01-27T22:31:33.750215177Z 0 renew failure(s), 22 parse failure(s)
npm  | 2023-01-27T22:31:33.750220107Z 
npm  | 2023-01-27T22:31:33.750224856Z     at ChildProcess.exithandler (node:child_process:402:12)
npm  | 2023-01-27T22:31:33.750229856Z     at ChildProcess.emit (node:events:513:28)
npm  | 2023-01-27T22:31:33.750234826Z     at maybeClose (node:internal/child_process:1100:16)
npm  | 2023-01-27T22:31:33.750239856Z     at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
npm  | 2023-01-27T23:31:32.252935240Z [1/27/2023] [11:31:32 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
npm  | 2023-01-27T23:31:33.972358199Z [1/27/2023] [11:31:33 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
npm  | 2023-01-27T23:31:33.972396275Z Renewal configuration file /etc/letsencrypt/renewal/npm-14.conf is broken.
npm  | 2023-01-27T23:31:33.972423779Z The error was: expected /etc/letsencrypt/live/npm-14/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972429591Z Skipping.
npm  | 2023-01-27T23:31:33.972434581Z Renewal configuration file /etc/letsencrypt/renewal/npm-16.conf is broken.
npm  | 2023-01-27T23:31:33.972439781Z The error was: expected /etc/letsencrypt/live/npm-16/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972444951Z Skipping.
npm  | 2023-01-27T23:31:33.972449861Z Renewal configuration file /etc/letsencrypt/renewal/npm-19.conf is broken.
npm  | 2023-01-27T23:31:33.972454931Z The error was: expected /etc/letsencrypt/live/npm-19/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972460001Z Skipping.
npm  | 2023-01-27T23:31:33.972464820Z Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
npm  | 2023-01-27T23:31:33.972470091Z The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972475291Z Skipping.
npm  | 2023-01-27T23:31:33.972480181Z Renewal configuration file /etc/letsencrypt/renewal/npm-20.conf is broken.
npm  | 2023-01-27T23:31:33.972485301Z The error was: expected /etc/letsencrypt/live/npm-20/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972490381Z Skipping.
npm  | 2023-01-27T23:31:33.972495281Z Renewal configuration file /etc/letsencrypt/renewal/npm-21.conf is broken.
npm  | 2023-01-27T23:31:33.972500361Z The error was: expected /etc/letsencrypt/live/npm-21/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972505391Z Skipping.
npm  | 2023-01-27T23:31:33.972513016Z Renewal configuration file /etc/letsencrypt/renewal/npm-23.conf is broken.
npm  | 2023-01-27T23:31:33.972518236Z The error was: expected /etc/letsencrypt/live/npm-23/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972523306Z Skipping.
npm  | 2023-01-27T23:31:33.972528186Z Renewal configuration file /etc/letsencrypt/renewal/npm-25.conf is broken.
npm  | 2023-01-27T23:31:33.972533316Z The error was: expected /etc/letsencrypt/live/npm-25/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972538396Z Skipping.
npm  | 2023-01-27T23:31:33.972543206Z Renewal configuration file /etc/letsencrypt/renewal/npm-28.conf is broken.
npm  | 2023-01-27T23:31:33.972548326Z The error was: expected /etc/letsencrypt/live/npm-28/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972553436Z Skipping.
npm  | 2023-01-27T23:31:33.972558235Z Renewal configuration file /etc/letsencrypt/renewal/npm-29.conf is broken.
npm  | 2023-01-27T23:31:33.972563315Z The error was: expected /etc/letsencrypt/live/npm-29/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972568385Z Skipping.
npm  | 2023-01-27T23:31:33.972573205Z Renewal configuration file /etc/letsencrypt/renewal/npm-30.conf is broken.
npm  | 2023-01-27T23:31:33.972578335Z The error was: expected /etc/letsencrypt/live/npm-30/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972583425Z Skipping.
npm  | 2023-01-27T23:31:33.972589768Z Renewal configuration file /etc/letsencrypt/renewal/npm-31.conf is broken.
npm  | 2023-01-27T23:31:33.972601641Z The error was: expected /etc/letsencrypt/live/npm-31/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972606952Z Skipping.
npm  | 2023-01-27T23:31:33.972611761Z Renewal configuration file /etc/letsencrypt/renewal/npm-32.conf is broken.
npm  | 2023-01-27T23:31:33.972616821Z The error was: expected /etc/letsencrypt/live/npm-32/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972621861Z Skipping.
npm  | 2023-01-27T23:31:33.972626681Z Renewal configuration file /etc/letsencrypt/renewal/npm-33.conf is broken.
npm  | 2023-01-27T23:31:33.972631761Z The error was: expected /etc/letsencrypt/live/npm-33/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972636821Z Skipping.
npm  | 2023-01-27T23:31:33.972641700Z Renewal configuration file /etc/letsencrypt/renewal/npm-34.conf is broken.
npm  | 2023-01-27T23:31:33.972646851Z The error was: expected /etc/letsencrypt/live/npm-34/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972651951Z Skipping.
npm  | 2023-01-27T23:31:33.972657211Z Renewal configuration file /etc/letsencrypt/renewal/npm-35.conf is broken.
npm  | 2023-01-27T23:31:33.972662291Z The error was: expected /etc/letsencrypt/live/npm-35/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972667361Z Skipping.
npm  | 2023-01-27T23:31:33.972672211Z Renewal configuration file /etc/letsencrypt/renewal/npm-36.conf is broken.
npm  | 2023-01-27T23:31:33.972677301Z The error was: expected /etc/letsencrypt/live/npm-36/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972682621Z Skipping.
npm  | 2023-01-27T23:31:33.972687461Z Renewal configuration file /etc/letsencrypt/renewal/npm-39.conf is broken.
npm  | 2023-01-27T23:31:33.972692621Z The error was: expected /etc/letsencrypt/live/npm-39/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972697701Z Skipping.
npm  | 2023-01-27T23:31:33.972702501Z Renewal configuration file /etc/letsencrypt/renewal/npm-40.conf is broken.
npm  | 2023-01-27T23:31:33.972707571Z The error was: expected /etc/letsencrypt/live/npm-40/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972712651Z Skipping.
npm  | 2023-01-27T23:31:33.972717480Z Renewal configuration file /etc/letsencrypt/renewal/npm-42.conf is broken.
npm  | 2023-01-27T23:31:33.972722681Z The error was: expected /etc/letsencrypt/live/npm-42/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972727751Z Skipping.
npm  | 2023-01-27T23:31:33.972732600Z Renewal configuration file /etc/letsencrypt/renewal/npm-43.conf is broken.
npm  | 2023-01-27T23:31:33.972737740Z The error was: expected /etc/letsencrypt/live/npm-43/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972742851Z Skipping.
npm  | 2023-01-27T23:31:33.972747690Z Renewal configuration file /etc/letsencrypt/renewal/npm-44.conf is broken.
npm  | 2023-01-27T23:31:33.972752800Z The error was: expected /etc/letsencrypt/live/npm-44/cert.pem to be a symlink
npm  | 2023-01-27T23:31:33.972757920Z Skipping.
npm  | 2023-01-27T23:31:33.972763161Z 0 renew failure(s), 22 parse failure(s)
npm  | 2023-01-27T23:31:33.972768221Z 
npm  | 2023-01-27T23:31:33.972778411Z     at ChildProcess.exithandler (node:child_process:402:12)
npm  | 2023-01-27T23:31:33.972783591Z     at ChildProcess.emit (node:events:513:28)
npm  | 2023-01-27T23:31:33.972788561Z     at maybeClose (node:internal/child_process:1100:16)
npm  | 2023-01-27T23:31:33.972793621Z     at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
npm  | 2023-01-28T00:09:59.625386675Z [1/28/2023] [12:09:59 AM] [Nginx    ] › ℹ  info      Reloading Nginx
npm  | 2023-01-28T00:10:10.815170898Z [1/28/2023] [12:10:10 AM] [Nginx    ] › ℹ  info      Reloading Nginx
npm  | 2023-01-28T00:11:55.099793912Z [1/28/2023] [12:11:55 AM] [Nginx    ] › ℹ  info      Reloading Nginx
EDIflyer commented 1 year ago

Same issue here - just had 10 renewal notices this morning - it had been working fine and now none have renewed. @jc21 or anyone else, any word on a fix for this? It's getting to be a fairly major issue and is quite frustrating to have to keep recreating all the certs every month!

romeolazar commented 1 year ago

Yes, indeed. The issue is still present in the latest version. The only option is to delete and request a new certificate. Hope for a fix. THANK YOU.

momoirodouhu commented 1 year ago

In my case, this issue was solved by deleting the IPv6 address from the DNS record.

abdros commented 1 year ago

I had the same issue and solved it by adding a DNS CAA record for the HOST.MYDOMAIN.TLD and setting letsencrypt.org as an authorized certificate provider (I use EasyDNS). What made me think of this was an email that letsencrypt had sent some time ago regarding this soon-to-come requirement from DNS providers. Nginx Proxy Manager v2.7.1 Hope this helps others.

EDIflyer commented 1 year ago

Sadly I don't think that's an option for my DNS provider. The thing is it used to work fine and the issue seems to be around https being enforced even for the LetsEncrypt check so I'm hoping it's sortable in the code...

abdros commented 1 year ago

Sadly I don't think that's an option for my DNS provider. The thing is it used to work fine and the issue seems to be around https being enforced even for the LetsEncrypt check so I'm hoping it's sortable in the code...

I do not know if it helps, but I had the "Force SSL" option selected in npm, and it worked. I do not know either if all DNS providers are enforcing the CAA requirement. I wish you good luck.

EDIflyer commented 1 year ago

I do not know if it helps, but I had the "Force SSL" option selected in npm, and it worked. I do not know either if all DNS providers are enforcing the CAA requirement. I wish you good luck.

Yep it seems intermittent - when it stopped working I found if I switch that off it seems to work again obtaining certs, but at present both servers have SSL certs far enough away it's not trying to renew them yet

kaffeepause07 commented 1 year ago

"Force SSL" option was the problem on my site. Fixed it by changing the force ssl config file. The force ssl file works with this settings:


set $url "${scheme}:${request_uri}";
if ($url ~ "^http:(?!/\.well-known/acme-challenge/(.*))") {
        return 301 https://$host$request_uri;
}

Get this fixe from this site: https://community.alarmiator.de/t/lets-encrypt-zertifikat-wird-von-nginx-proxy-manager-nicht-aktualisiert/380/3

D3B453R commented 1 year ago

"Force SSL" option was the problem on my site. Fixed it by changing the force ssl config file. The force ssl file works with this settings:


set $url "${scheme}:${request_uri}";
if ($url ~ "^http:(?!/\.well-known/acme-challenge/(.*))") {
        return 301 https://$host$request_uri;
}

Get this fixe from this site: https://community.alarmiator.de/t/lets-encrypt-zertifikat-wird-von-nginx-proxy-manager-nicht-aktualisiert/380/3

This works for me. I was already thinking about an alternative for npm.

Thank you.

P.S. vielen Dank für die Lösung, die Kaffeepause haben Sie sich definitiv verdient. ;)

EDIflyer commented 1 year ago

"Force SSL" option was the problem on my site. Fixed it by changing the force ssl config file. The force ssl file works with this settings:


set $url "${scheme}:${request_uri}";
if ($url ~ "^http:(?!/\.well-known/acme-challenge/(.*))") {
        return 301 https://$host$request_uri;
}

Get this fixe from this site: https://community.alarmiator.de/t/lets-encrypt-zertifikat-wird-von-nginx-proxy-manager-nicht-aktualisiert/380/3

Yep - see the PR I did a few weeks ago - https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3121 - has been fine for me since then too.

Orko79 commented 7 months ago

"Force SSL" option was the problem on my site. Fixed it by changing the force ssl config file. The force ssl file works with this settings:


set $url "${scheme}:${request_uri}";
if ($url ~ "^http:(?!/\.well-known/acme-challenge/(.*))") {
        return 301 https://$host$request_uri;
}

Get this fixe from this site: https://community.alarmiator.de/t/lets-encrypt-zertifikat-wird-von-nginx-proxy-manager-nicht-aktualisiert/380/3

This worked for me too! Just replaced the original file with the one from the link (of course after making a backup ;-) ) Vielen Dank und immer frischen, guten Kaffee!

EDIflyer commented 7 months ago

Yep - for any not comfortable with making changes themselves, see the PR above I did that made those changes ;)

abalgo commented 2 weeks ago

For me, the problem was different. I've executed the certbot directly in the nginxproxymanager docker container and the problem was more explicit: ERROR:certbot._internal.renewal:Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken ERROR:certbot._internal.renewal:The error was: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink. Skipping.

So I've simply copied the files in ../../archive/npm-3 (actually it was not necessary because the files were already there with the name cert3.pem, chain3.pem, ...) I've just removed the files and replaced them by symlinks:

cd /etc/letsencrypt/live/npm-3/
rm *.pem
ln -s ../../archive/npm-3/cert3.pem cert.pem
ln -s ../../archive/npm-3/chain3.pem chain.pem
ln -s ../../archive/npm-3/fullchain3.pem fullchain.pem
ln -s ../../archive/npm-3/privkey3.pem privkey.pem

of course, replace the "3" by the number matching your situation (the biggest one in the archive directory)

and it works. I've renewed the certificates successfully from the user interface.

I hope it will help.