search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
23.29k stars 2.7k forks source link

Internal Error creating SSL #747

Closed magicman32 closed 3 years ago

magicman32 commented 3 years ago

Checklist

When creating a proxy host, I get an internal error and ssl is not created, new to docker, learning as I go

This pic is when I try to create host proxy with ssl............. npm-ssl-error2

This pic is when I try to create ssl on its own without creating a host proxy............... npm-error3

Some of the text is cut out....here is full log...... Error: Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-12" --agree-tos --email "magicman32.craig@gmail.com" --preferred-challenges "dns,http" --domains "books.beastunraid.me" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for books.beastunraid.me Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains. Waiting for verification... Challenge failed for domain books.beastunraid.me http-01 challenge for books.beastunraid.me Cleaning up challenges Some challenges have failed.

at ChildProcess.exithandler (child_process.js:308:12)
at ChildProcess.emit (events.js:314:20)
at maybeClose (internal/child_process.js:1051:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)
magicman32 commented 3 years ago

anyone??

rmensing commented 3 years ago

As far as I am aware you must select "Use a DNS challenge" otherwise CertBot tries to use the HTTP-01 challenge which would require NPM to have access to the webroot of the server you are trying to get a cert for and I'm willing to bet that it does not have that access.

Switch on "Use a DNS challenge" then select your DNS provider, if it is on the list, then it will probably need and API token that you will get from your DNS provider. If your DNS provider is not on the list then you may need to switch to one that is. Cloudflare and probably others have free accounts available.

magicman32 commented 3 years ago

npm-dns-challenge Im with cloudflare, am I putting in my global api key? sorry noob at this stuff or do I need to create an api token?

rmensing commented 3 years ago

You will need to create an API token. Use the "edit zone DNS" template. Make note of the created token as once you close it you will not be able to view the token again.

The global API key no longer works for this. Funny thing is that this is why I was here and saw your post. I was using the global key in some of mine and was getting a similar error when trying to renew. Switching to a created token resolved my issue.

magicman32 commented 3 years ago

Ok got my edit zone dns api token What do I need to put in Credentials File content section, im not sure what to add or replace or change there?

chris1668 commented 3 years ago

I just tried to use Cloudflare DNS Challenge and it seems the Docker Image from JLesage does not have the Cloudflare-DNS module installed, so after running pip3 install certbot-dns-cloudflare==1.8.0 matching the version from the internal error message has now lead me to this Command Failed Error with no obvious reason standing out to me. `Error: Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-15" --agree-tos --email "" --domains ".example.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-15" Traceback (most recent call last): File "/usr/bin/certbot", line 11, in load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')() File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main return internal_main.main(cli_args) File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1315, in main log.pre_arg_parse_setup() File "/usr/lib/python3.8/site-packages/certbot/_internal/log.py", line 55, in pre_arg_parse_setup temp_handler = TempHandler() File "/usr/lib/python3.8/site-packages/certbot/_internal/log.py", line 243, in init stream = util.safe_open(self.path, mode='w', chmod=0o600) File "/usr/lib/python3.8/site-packages/certbot/util.py", line 197, in safe_open fd = filesystem.open(path, os.O_CREAT | os.O_EXCL | os.O_RDWR, open_args) File "/usr/lib/python3.8/site-packages/certbot/compat/filesystem.py", line 149, in open return os.open(file_path, flags, mode) PermissionError: [Errno 13] Permission denied: '/tmp/tmpyp2bcu3c/log'

at ChildProcess.exithandler (child_process.js:303:12)
at ChildProcess.emit (events.js:315:20)
at maybeClose (internal/child_process.js:1021:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)`

dns_challenege_error

magicman32 commented 3 years ago

You will need to create an API token. Use the "edit zone DNS" template. Make note of the created token as once you close it you will not be able to view the token again.

The global API key no longer works for this. Funny thing is that this is why I was here and saw your post. I was using the global key in some of mine and was getting a similar error when trying to renew. Switching to a created token resolved my issue.

Did that, what next? Ok got my edit zone dns api token What do I need to put in Credentials File content section, im not sure what to add or replace or change there?

magicman32 commented 3 years ago

@rmensing

rmensing commented 3 years ago

Sorry for the delay @magicman32 . Just replace everything after the = sign with the API token. Leave the propagation seconds box empty, the default works fine. Click the I Agree switch and then click save. It should pull a cert without error. I had the NPM log open in a second window so I could watch what it was doing live. I use Portainer which makes watching the log easier.

rmensing commented 3 years ago

@chris1668 My first suggestion would be to try using the official Docker container jc21/nginx-proxy-manager because it is already setup to run certbot as well as being more current than the other. The official container right now was updated 8 days ago and the one you are using is a month old.

I am not a dev on this, just another user like you :) but, to me, it looks like there is a problem with permissions in the container so the app is unable to write to a file it needs. This is why I suggest trying the official container.

magicman32 commented 3 years ago

Ok, so I was able to create an ssl, but when I goto host address, I get welcome to our sever, confused, not sure if I have missed something

magicman32 commented 3 years ago

@rmensing

rmensing commented 3 years ago

Not certain but it sounds like you are ending up on the non-ssl (HTTP) page. You should be able to tell by if it has the lock icon before the URL in the address bar.

Why it is doing this is dependent on the server you are proxying and its configuration and possibly other factors.

As a basic example: I have servers that only server content un-secure on port 80 or some other port so I set the Forward Hostname/IP and Forward Port to those.

I have some that only serve content on a secure port (443) already so I use that port on the Forward Port On some of these I have had the server show the default web server welcome page on port 80 and the actual content on port 443. This is what it seems like it could be to me.