Let's Encrypt SSL Cert Auto-Renew "Internal Error"

[theDepart3d]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug Certificates issued by Lets Encrypt does not auto renew, manually clicking renew returns "Internal Error". Deleting the certificate and re-creating it works though.

Nginx Proxy Manager Version

v2.11.3 - Using Docker-Compose

To Reproduce Steps to reproduce the behavior:

1. Find expired lets encrypt cert.
2. Click renew (returns "Internal Error")

Expected behavior

Renew the ssl certificate issued by Lets Encrypt

Screenshots

Operating System

Distributor ID: Debian
Description:    Debian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm

[ayasystems]

I've the same problem with the same docker version

[theDepart3d]

I've the same problem with the same docker version

Im using the docker-compose version too. Forgot to mention that.

[port42069]

Deleting the certificate and re-creating it works though.

I added a DNS Challenge cert for a domain that I havent used before, after adding it I was able renew the other certificates without getting the Internal Error!

Edit: Came across this error again with another docker compose container. I recently migrated this container to a new machine and the symlink's located in the "./letsencrypt/live/npm-x/" directory were copied over as the source files, not the links. After recreating the symlinks to the ".pem" files located at "./letsencrypt/archive/npm-x/" I was able to renew the cert.

[theDepart3d]

Deleting the certificate and re-creating it works though.

I added a DNS Challenge cert for a domain that I havent used before, after adding it I was able renew the other certificates without getting the Internal Error!

Edit: Came across this error again with another docker compose container. I recently migrated this container to a new machine and the symlink's located in the "./letsencrypt/live/npm-x/" directory were copied over as the source files, not the links. After recreating the symlinks to the ".pem" files located at "./letsencrypt/archive/npm-x/" I was able to renew the cert.

I am using the DNS Challenge and i still get this error.

I recently migrated this container to a new machine and the symlink's located in the "./letsencrypt/live/npm-x/" directory were copied over as the source files, not the links.

My links are correct (just checked). The renew just never ever worked for me. This is my second NPM and still does not work.

[ThatCoffeeGuy]

I checked the logs because of the same issue and I got banned from letsencrypt. I was horrified to discover that I got banned because NPM was SPAMMING the renewal requests for domains that were not even accessible, multiple times a minute. As I am quite sure this not how it worked, I believe this a bug introduced with a recent version.

" error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type"

[theDepart3d]

I checked the logs because of the same issue and I got banned from letsencrypt. I was horrified to discover that I got banned because NPM was SPAMMING the renewal requests for domains that were not even accessible, multiple times a minute. As I am quite sure this not how it worked, I believe this a bug introduced with a recent version.

" error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type"

What is the location of the log file. Maybe i missed something. My log files don't show any errors.

[JNR8]

FYI: for anyone else that is in the same situation as me this is the fix.

I limited my CloudFlare API key to only work from certain IP addresses. I recently moved house and changed my ISP. Since then the Cert Renewals all failed with the same error that OP listed, But I had forgotten this.

After checking the /var/logs/letsencrypt/letsencrypt.log file I could see multiple of the following entries:

2024-10-24 08:23:29,249:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Encountered error finding zone_id during deletion: Error determining zone_id: 9109 Max auth failures reached, please check your Authorization header.. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)

This indicated an issue with my API key. Knowing I had not changed it, I logged into the Cloud Flare and noticed I had restricted it to only be usable from certain IP addresses, as security precaution. After entering in my new (static) IP from the new ISP the issue was resolved (for me in this very specific situation).

I hope this help anyone else that may have limited their API key to certain IP address, and forgot they did that. :)

[coolstuff99]

Solved by force containers removal, pruning latest images and re-creating it again by pulling the latest version:

docker rm -f npm-app docker rm -f npm-db docker image prune -a docker-compose up -d

Hope it helps!

[jo-pouradier]

Hello got same issue, which DNS are you using ? If its cloudflare, desactivate cloudflare proxy (test but wait a few minutes), get your ssl certs and put cloudlfare proxy again. Otherwise for other DNS use nslookup and verify its your ip.

[up2you1]

Had similar issue today, my ssl 's usual auto renew and not been an issue for a few years, today noticed one ssl needed to be renewed by 24th Nov 2024, tried to manually renew but got an internal error.

Googled and saw one post on here to say to switch off forced SSL and try, so did this and manual renew worked, not sure why its started to be an issue now and no before, Ive always had force ssl on.

Use nginx in Unraid, docker, repo: jlesage/nginx-proxy-manager

Also using cloudflare cname record with proxy enabled.

thanks

[pluim003]

I have the same issue, switched off force SSL but still no success in renewing. And when I test server connectivity in NPM it says:

influxdb..nl: There is a server found at this domain but it returned an unexpected status code Invalid domain or IP. Is it the NPM server? Please make sure your domain points to the IP where your NPM instance is running.

The mentioned internal ip-address: 192.168.178.10:8086 is valid and I can connect directly through that.

A bit later: About a month ago I've put my Raspberry Pi4 in another network. Seemed that port 80 wasn't forwarded from the Fritzbox to the RPi4. So after modifying this it's working again.