IONOS certificate doesn't work

[jclsn]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug The IONOS certificate is obtained using the DNS challenge, but the domain does still not use this certificate.

I am a bit frustrated by now, because I don't know what I am doing wrong. From what I understand a TXT record needs to be created for this to work, but I haven't seen one. Maybe I am mistaken and the TXT record is only present during the creation of the certifcate. In any case, the certificate is not used, although the domain name certainly points to my server wheere NPM is running.

Nginx Proxy Manager Version v2.12.1

To Reproduce Steps to reproduce the behavior:

1. Go to SSL Certificates and click on "Add SSL Certificates"
2. Select IONOS DNS challenge and enter your API credentials
3. Create the certificate and add it to your proxy host
4. The domain uses another certificate

Expected behavior The domain should use the certificate created with certbot.

[rezzorix]

IONOS works. I suggest to take the bug lable off, and use a help label.

I assume you use the German IONOS - in any case US, Spanish or German.. all same process.

You do not need to create a txt record. In the IONOS Api-Portal you get a Prefix and an API key.. this is all you need to create a SSL Cert with NPM.

When setting up the SSL Certs, choose DNS-Challenge choose IONOS and enter this: dns_ionos_prefix = myapikeyprefix dns_ionos_secret = verysecureapikeysecret dns_ionos_endpoint = https://api.hosting.ionos.com

[jclsn]

Yeah, that part also works for me. I am now thinking that something does not work with the proxy. The certificates from Letsencrypt are not the ones I am getting when I am trying to access the domain. There are also no access logs on the proxies.

Anything suspicious here? I also just realized that the backend is listening on port 3000. Shouldn't this be port 80?

| \ | |  _ \|  \/  |
|  \| | |_) | |\/| |
| |\  |  __/| |  | |
|_| \_|_|   |_|  |_|
-------------------------------------
User:  npm PUID:0 ID:0 GROUP:0
Group: npm PGID:0 ID:0
-------------------------------------
❯ Starting nginx ...
❯ Starting backend ...
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /data/nginx/proxy_host/2.conf:19
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /data/nginx/proxy_host/2.conf:20
[11/23/2024] [4:17:09 PM] [Global   ] › ℹ  info      Using Sqlite: /data/database.sqlite
[11/23/2024] [4:17:12 PM] [Migrate  ] › ℹ  info      Current database version: none
[11/23/2024] [4:17:12 PM] [Global   ] › ⬤  debug     CMD: [ -f '/etc/letsencrypt/credentials/credentials-4' ] || { mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_ionos_prefix = xxxxxxxxx
dns_ionos_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxx
dns_ionos_endpoint = https://api.hosting.ionos.com' > '/etc/letsencrypt/credentials/credentials-4' && chmod 600 '/etc/letsencrypt/credentials/credentials-4'; }
[11/23/2024] [4:17:12 PM] [Certbot  ] › ▶  start     Installing ionos...
[11/23/2024] [4:17:12 PM] [Global   ] › ⬤  debug     CMD: . /opt/certbot/bin/activate && pip install --no-cache-dir  certbot-dns-ionos==2022.11.24  && deactivate
[11/23/2024] [4:17:15 PM] [Certbot  ] › ☒  complete  Installed ionos
[11/23/2024] [4:17:15 PM] [Setup    ] › ℹ  info      Added Certbot plugins ionos
[11/23/2024] [4:17:15 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[11/23/2024] [4:17:15 PM] [Global   ] › ⬤  debug     CMD: logrotate /etc/logrotate.d/nginx-proxy-manager
[11/23/2024] [4:17:15 PM] [Setup    ] › ℹ  info      Logrotate completed.
[11/23/2024] [4:17:15 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[11/23/2024] [4:17:15 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[11/23/2024] [4:17:15 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[11/23/2024] [4:17:15 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[11/23/2024] [4:17:15 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[11/23/2024] [4:17:15 PM] [SSL      ] › ℹ  info      Renewing SSL certs expiring within 30 days ...
[11/23/2024] [4:17:15 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[11/23/2024] [4:17:15 PM] [Global   ] › ℹ  info      Backend PID 154 listening on port 3000 ...
[11/23/2024] [4:17:15 PM] [SSL      ] › ℹ  info      Completed SSL cert renew process

[rezzorix]

Nothing suspicious in the logs. Certs are created.

[jclsn]

Did I maybe misconfigure something on IONOS then? I deleted everything but the A and AAAA records

[rezzorix]

Seems right... maybe IP not up-to-date? Port forwarding in Router not correctly set to the server where NPM is on?

Since you are in Germany.. you are most likely behind CGNAT so directly working with DynDNS will not work.

You need something like a cloudflare tunnel or similar...

[jclsn]

IP is up-to-date and the ports forwarding is also working. I have everything as I had it with my Strato domain before. I just changed the domain provider now. One difference is that with Strato I used ddclient and now I am using the router's DynDNS function.

I can even use the domain for SSH connections. It is just that the proxy is somehow showing me the wrong certificate. One that is valid for 10 years or so and self-signed.

[rezzorix]

DNS propagation already correct? https://www.whatsmydns.net/

Edit: since you are using the IONOS api.. you could also update your IP with that.

[jclsn]

Yes, all check marks are there. I don't think the DNS is the issue here. Maybe NPM is not serving port 80, but then it would complain wouldn't it?

I am updating my IP with the IONOS API. This is what NPM is doing.

[rezzorix]

NPM is updating your Certs via DNS-Challenge. NPM is not updating your IP.

[jclsn]

I know. The IP is fine like I said.

The problem is that the wrong certificate is used when I am accessing the server.

[rezzorix]

Would you mind sharing domain / ip with me? You could do via email rezzorix [at] gmail dot com

[jclsn]

Thanks, sent you a mail

[rezzorix]

Answered.